diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml deleted file mode 100644 index cc24974f..00000000 --- a/.github/workflows/linter.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -name: Unit tests - -# -# Documentation: -# https://help.github.com/en/articles/workflow-syntax-for-github-actions -# - -############################# -# Start the job on all push # -############################# -on: [push, pull_request] - -############### -# Set the Job # -############### -jobs: - build: - # Name the Job - name: Unit Test Code Base - # Set the agent to run on - runs-on: ubuntu-latest - - ################## - # Load all steps # - ################## - steps: - ########################## - # Checkout the code base # - ########################## - - name: Checkout Code - uses: actions/checkout@v4 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - name: Setup helm - uses: azure/setup-helm@v3 - with: - version: 'v3.13.2' - id: install - - ################################ - # Run Linter against code base # - ################################ - # - name: Lint Code Base - # uses: github/super-linter@v4 - # env: - # VALIDATE_ALL_CODEBASE: false - # DEFAULT_BRANCH: main - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Run make test - run: | - make test - - - name: Run make helmlint - run: | - make helmlint - - # - name: Run make helm kubeconform - # run: | - # curl -L -O https://github.com/yannh/kubeconform/releases/download/v0.4.13/kubeconform-linux-amd64.tar.gz - # tar xf kubeconform-linux-amd64.tar.gz - # sudo mv -v kubeconform /usr/local/bin - # make kubeconform diff --git a/common/.github/linters/.gitleaks.toml b/common/.github/linters/.gitleaks.toml index b80cdc04..9ad74347 100644 --- a/common/.github/linters/.gitleaks.toml +++ b/common/.github/linters/.gitleaks.toml @@ -1,8 +1,4 @@ [whitelist] # As of v4, gitleaks only matches against filename, not path in the # files directive. Leaving content for backwards compatibility. -files = [ - "ansible/plugins/modules/*.py", - "ansible/tests/unit/test_*.py", - "ansible/tests/unit/v1/*.yaml", -] +files = [ ] diff --git a/common/.github/workflows/ansible-lint.yml b/common/.github/workflows/ansible-lint.yml deleted file mode 100644 index c2b2981b..00000000 --- a/common/.github/workflows/ansible-lint.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Ansible Lint # feel free to pick your own name - -on: [push, pull_request] - -jobs: - build: - runs-on: ubuntu-latest - - steps: - # Important: This sets up your GITHUB_WORKSPACE environment variable - - uses: actions/checkout@v4 - - - name: Lint Ansible Playbook - uses: ansible/ansible-lint-action@v6 - # Let's point it to the path - with: - path: "ansible/" diff --git a/common/.github/workflows/ansible-unittest.yml b/common/.github/workflows/ansible-unittest.yml deleted file mode 100644 index c9f7485a..00000000 --- a/common/.github/workflows/ansible-unittest.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -name: Ansible unit tests - -# -# Documentation: -# https://help.github.com/en/articles/workflow-syntax-for-github-actions -# - -############################# -# Start the job on all push # -############################# -on: [push, pull_request] - -############### -# Set the Job # -############### -jobs: - ansible_unittests: - # Name the Job - name: Ansible unit tests - strategy: - matrix: - python-version: [3.11.3] - # Set the agent to run on - runs-on: ubuntu-latest - - ################## - # Load all steps # - ################## - steps: - ########################## - # Checkout the code base # - ########################## - - name: Checkout Code - uses: actions/checkout@v4 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 - with: - python-version: ${{ matrix.python-version }} - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install pytest ansible - - - name: Run make ansible-unittest - run: | - make ansible-unittest diff --git a/common/.github/workflows/chart-branches.yml b/common/.github/workflows/chart-branches.yml deleted file mode 100644 index 4fb784f0..00000000 --- a/common/.github/workflows/chart-branches.yml +++ /dev/null @@ -1,108 +0,0 @@ ---- -name: Create per-chart branches - -# We only run this job on the charts that will be later moved to full blown charts -# We also want to run the subtree comand only for the charts that have been actually changed -# because git subtree split is a bit of an expensive operation -# github actions do not support yaml anchors so there is more duplication than usual -on: - push: - branches: - - main - paths: - - 'acm/**' - - 'golang-external-secrets/**' - - 'hashicorp-vault/**' - - 'letsencrypt/**' - - 'clustergroup/**' - -jobs: - changes: - name: Figure out per-chart changes - if: github.repository == 'validatedpatterns/common' - runs-on: ubuntu-latest - permissions: read-all - outputs: - acm: ${{ steps.filter.outputs.acm }} - golang-external-secrets: ${{ steps.filter.outputs.golang-external-secrets }} - hashicorp-vault: ${{ steps.filter.outputs.hashicorp-vault }} - letsencrypt: ${{ steps.filter.outputs.letsencrypt }} - clustergroup: ${{ steps.filter.outputs.clustergroup }} - steps: - - name: Checkout Code - uses: actions/checkout@v4 - - - uses: dorny/paths-filter@v3 - id: filter - with: - filters: | - acm: - - 'acm/**' - golang-external-secrets: - - 'golang-external-secrets/**' - hashicorp-vault: - - 'hashicorp-vault/**' - letsencrypt: - - 'letsencrypt/**' - clustergroup: - - 'clustergroup/**' - - acm: - needs: changes - if: ${{ (needs.changes.outputs.acm == 'true') && (github.repository == 'validatedpatterns/common') }} - uses: validatedpatterns/common/.github/workflows/chart-split.yml@main - permissions: - actions: write - contents: write - with: - chart_name: acm - target_repository: validatedpatterns/acm-chart - secrets: inherit - - golang-external-secrets: - needs: changes - if: ${{ (needs.changes.outputs.golang-external-secrets == 'true') && (github.repository == 'validatedpatterns/common') }} - uses: validatedpatterns/common/.github/workflows/chart-split.yml@main - permissions: - actions: write - contents: write - with: - chart_name: golang-external-secrets - target_repository: validatedpatterns/golang-external-secrets-chart - secrets: inherit - - hashicorp-vault: - needs: changes - if: ${{ (needs.changes.outputs.hashicorp-vault == 'true') && (github.repository == 'validatedpatterns/common') }} - uses: validatedpatterns/common/.github/workflows/chart-split.yml@main - permissions: - actions: write - contents: write - with: - chart_name: hashicorp-vault - target_repository: validatedpatterns/hashicorp-vault-chart - secrets: inherit - - letsencrypt: - needs: changes - if: ${{ (needs.changes.outputs.letsencrypt == 'true') && (github.repository == 'validatedpatterns/common') }} - uses: validatedpatterns/common/.github/workflows/chart-split.yml@main - permissions: - actions: write - contents: write - with: - chart_name: letsencrypt - target_repository: validatedpatterns/letsencrypt-chart - secrets: inherit - - clustergroup: - needs: changes - if: ${{ (needs.changes.outputs.clustergroup == 'true') && (github.repository == 'validatedpatterns/common') }} - uses: validatedpatterns/common/.github/workflows/chart-split.yml@main - permissions: - actions: write - contents: write - with: - chart_name: clustergroup - target_repository: validatedpatterns/clustergroup-chart - secrets: inherit diff --git a/common/.github/workflows/chart-split.yml b/common/.github/workflows/chart-split.yml deleted file mode 100644 index 150e419b..00000000 --- a/common/.github/workflows/chart-split.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -name: Split into chart repo branches - -on: - workflow_call: - inputs: - chart_name: - required: true - type: string - target_repository: - required: true - type: string - -jobs: - split_chart: - runs-on: ubuntu-latest - permissions: - actions: write - contents: write - steps: - - name: Checkout Code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - token: ${{ secrets.CHARTS_REPOS_TOKEN }} - - - name: Run git subtree split and push - env: - GITHUB_TOKEN: ${{ secrets.CHARTS_REPOS_TOKEN }} - run: | - set -e - N="${{ inputs.chart_name }}" - B="${N}-main-single-chart" - GITIMG="quay.io/hybridcloudpatterns/gitsubtree-container:2.40.1" - sudo apt-get update -y && sudo apt-get install -y podman - echo "Running subtree split for ${B}" - podman pull "${GITIMG}" - git push origin -d "${B}" || /bin/true - # Git subtree got broken on recent versions of git hence this container - podman run --net=host --rm -t -v .:/git "${GITIMG}" subtree split -P "${N}" -b "${B}" - #git clone https://validatedpatterns:${GITHUB_TOKEN}@github.com/validatedpatterns/common.git -b "acm-main-single-chart" --single-branch - git push --force https://validatedpatterns:"${GITHUB_TOKEN}"@github.com/${{ inputs.target_repository }}.git "${B}:main" diff --git a/common/.github/workflows/jsonschema.yaml b/common/.github/workflows/jsonschema.yaml deleted file mode 100644 index e47de928..00000000 --- a/common/.github/workflows/jsonschema.yaml +++ /dev/null @@ -1,57 +0,0 @@ ---- -name: Verify json schema - -# -# Documentation: -# https://help.github.com/en/articles/workflow-syntax-for-github-actions -# - -############################# -# Start the job on all push # -############################# -on: [push, pull_request] - -############### -# Set the Job # -############### -jobs: - jsonschema_tests: - # Name the Job - name: Json Schema tests - strategy: - matrix: - python-version: [3.11.3] - # Set the agent to run on - runs-on: ubuntu-latest - - ################## - # Load all steps # - ################## - steps: - ########################## - # Checkout the code base # - ########################## - - name: Checkout Code - uses: actions/checkout@v4 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 - with: - python-version: ${{ matrix.python-version }} - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install check-jsonschema - - - name: Verify secrets json schema - run: | - check-jsonschema --schemafile ./ansible/roles/vault_utils/values-secrets.v1.schema.json examples/secrets/values-secret.v1.yaml - check-jsonschema --schemafile ./ansible/roles/vault_utils/values-secrets.v2.schema.json examples/secrets/values-secret.v2.yaml - - - name: Verify ClusterGroup values.schema.json - run: | - set -e; for i in examples/*yaml; do echo "$i"; check-jsonschema --schemafile ./clustergroup/values.schema.json "$i"; done diff --git a/common/.github/workflows/linter.yml b/common/.github/workflows/linter.yml deleted file mode 100644 index f82194ee..00000000 --- a/common/.github/workflows/linter.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -name: Unit test common - -# -# Documentation: -# https://help.github.com/en/articles/workflow-syntax-for-github-actions -# - -############################# -# Start the job on all push # -############################# -on: [push, pull_request] - -############### -# Set the Job # -############### -jobs: - build: - # Name the Job - name: Unit common/ Code Base - # Set the agent to run on - runs-on: ubuntu-latest - - ################## - # Load all steps # - ################## - steps: - ########################## - # Checkout the code base # - ########################## - - name: Checkout Code - uses: actions/checkout@v4 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - name: Setup helm - uses: azure/setup-helm@v4 - with: - version: 'v3.14.0' - - - ################################ - # Run Linter against code base # - ################################ - # - name: Lint Code Base - # uses: github/super-linter@v4 - # env: - # VALIDATE_ALL_CODEBASE: false - # DEFAULT_BRANCH: main - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Run make test - run: | - make test - - - name: Run make helmlint - run: | - make helmlint - - # For now disable this until we have a nice and simple process to update the schemas in our repo - # - name: Run make helm kubeconform - # run: | - # curl -L -O https://github.com/yannh/kubeconform/releases/download/v0.4.13/kubeconform-linux-amd64.tar.gz - # tar xf kubeconform-linux-amd64.tar.gz - # sudo mv -v kubeconform /usr/local/bin - # make kubeconform diff --git a/common/Changes.md b/common/Changes.md index 8ade8ad6..c12f1755 100644 --- a/common/Changes.md +++ b/common/Changes.md @@ -1,5 +1,13 @@ # Changes +## Sep 24, 2024 + +* Ansible has been moved out of the common code tree, you must use a clustergroup chart that is >= 0.9.1 + +## Sep 6, 2024 + +* Most charts have been removed from the tree. To get the charts you now have to point to them + ## Sep 25, 2023 * Upgraded ESO to v0.9.5 diff --git a/common/Makefile b/common/Makefile index 785e5307..24fba8a0 100644 --- a/common/Makefile +++ b/common/Makefile @@ -42,6 +42,8 @@ else HELM_OPTS=-f values-global.yaml --set main.tokenSecret=$(TOKEN_SECRET) --set main.tokenSecretNamespace=$(TOKEN_NAMESPACE) --set main.git.repoURL="$(TARGET_CLEAN_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(UUID_HELM_OPTS) $(EXTRA_HELM_OPTS) endif +# Helm does the right thing and fetches all the tags and detects the newest one +PATTERN_INSTALL_CHART ?= oci://quay.io/hybridcloudpatterns/pattern-install ##@ Pattern Common Tasks @@ -54,7 +56,7 @@ help: ## This help message # e.g. from industrial-edge: make -f common/Makefile show .PHONY: show show: ## show the starting template without installing it - helm template common/operator-install/ --name-template $(NAME) $(HELM_OPTS) + helm template $(PATTERN_INSTALL_CHART) --name-template $(NAME) $(HELM_OPTS) preview-all: ## (EXPERIMENTAL) Previews all applications on hub and managed clusters @echo "NOTE: This is just a tentative approximation of rendering all hub and managed clusters templates" @@ -69,7 +71,7 @@ operator-deploy operator-upgrade: validate-prereq validate-origin validate-clust @set -e -o pipefail # Retry five times because the CRD might not be fully installed yet for i in {1..5}; do \ - helm template --include-crds --name-template $(NAME) common/operator-install/ $(HELM_OPTS) | oc apply -f- && break || sleep 10; \ + helm template --include-crds --name-template $(NAME) $(PATTERN_INSTALL_CHART) $(HELM_OPTS) | oc apply -f- && break || sleep 10; \ done .PHONY: uninstall @@ -113,7 +115,7 @@ secrets-backend-none: ## Edits values files to remove secrets manager + ESO .PHONY: load-iib load-iib: ## CI target to install Index Image Bundles @set -e; if [ x$(INDEX_IMAGES) != x ]; then \ - ansible-playbook common/ansible/playbooks/iib-ci/iib-ci.yaml; \ + ansible-playbook rhvp.cluster_utils.iib-ci; \ else \ echo "No INDEX_IMAGES defined. Bailing out"; \ exit 1; \ @@ -167,7 +169,14 @@ validate-prereq: ## verify pre-requisites if ! ansible-galaxy collection list | grep kubernetes.core > /dev/null 2>&1; then echo "Not found"; exit 1; fi;\ echo "OK";\ else\ - echo "Skipping prerequisites check as we're running inside a container";\ + if [ -f values-global.yaml ]; then\ + OUT=`yq -r '.main.multiSourceConfig.enabled // (.main.multiSourceConfig.enabled = "false")' values-global.yaml`;\ + if [ "$${OUT,,}" = "false" ]; then\ + echo "You must set \".main.multiSourceConfig.enabled: true\" in your 'values-global.yaml' file";\ + echo "because your common subfolder is the slimmed down version with no helm charts in it";\ + exit 1;\ + fi;\ + fi;\ fi .PHONY: argo-healthcheck @@ -196,39 +205,6 @@ argo-healthcheck: ## Checks if all argo applications are synced ##@ Test and Linters Tasks -CHARTS=$(shell find . -type f -iname 'Chart.yaml' -exec dirname "{}" \; | grep -v examples | sed -e 's/.\///') -# Section related to tests and linting -TEST_OPTS= -f values-global.yaml \ - --set global.repoURL="https://github.com/pattern-clone/mypattern" \ - --set main.git.repoURL="https://github.com/pattern-clone/mypattern" \ - --set main.git.revision=main --set global.pattern="mypattern" \ - --set global.namespace="pattern-namespace" \ - --set global.hubClusterDomain=apps.hub.example.com \ - --set global.localClusterDomain=apps.region.example.com \ - --set global.clusterDomain=region.example.com \ - --set global.clusterVersion="4.12" \ - --set global.clusterPlatform=aws \ - --set "clusterGroup.imperative.jobs[0].name"="test" \ - --set "clusterGroup.imperative.jobs[0].playbook"="ansible/test.yml" -PATTERN_OPTS=-f common/examples/values-example.yaml -EXECUTABLES=git helm oc ansible - -.PHONY: test -test: ## run helm tests - @for t in $(CHARTS); do common/scripts/test.sh $$t all "$(TEST_OPTS)"; if [ $$? != 0 ]; then exit 1; fi; done - -.PHONY: helmlint -helmlint: ## run helm lint - @for t in $(CHARTS); do common/scripts/lint.sh $$t $(TEST_OPTS); if [ $$? != 0 ]; then exit 1; fi; done - -API_URL ?= https://raw.githubusercontent.com/hybrid-cloud-patterns/ocp-schemas/main/openshift/4.10/ -KUBECONFORM_SKIP ?= -skip 'CustomResourceDefinition,ClusterIssuer,CertManager,Certificate,ArgoCD' - -# We need to skip 'CustomResourceDefinition' as openapi2jsonschema seems to be unable to generate them ATM -.PHONY: kubeconform -kubeconform: ## run helm kubeconform - @for t in $(CHARTS); do helm template $(TEST_OPTS) $(PATTERN_OPTS) $$t | kubeconform -strict $(KUBECONFORM_SKIP) -verbose -schema-location $(API_URL); if [ $$? != 0 ]; then exit 1; fi; done - .PHONY: super-linter super-linter: ## Runs super linter locally rm -rf .mypy_cache @@ -251,15 +227,6 @@ super-linter: ## Runs super linter locally -w /tmp/lint \ ghcr.io/super-linter/super-linter:slim-v7 -.PHONY: ansible-lint -ansible-lint: ## run ansible lint on ansible/ folder - podman run -it -v $(PWD):/workspace:rw,z --workdir /workspace --env ANSIBLE_CONFIG=./ansible/ansible.cfg \ - --entrypoint "/usr/local/bin/ansible-lint" quay.io/ansible/creator-ee:latest "-vvv" "ansible/" - -.PHONY: ansible-unittest -ansible-unittest: ## run ansible unit tests - pytest -r a --fulltrace --color yes ansible/tests/unit/test_*.py - .PHONY: deploy upgrade legacy-deploy legacy-upgrade deploy upgrade legacy-deploy legacy-upgrade: @echo "UNSUPPORTED TARGET: please switch to 'operator-deploy'"; exit 1 diff --git a/common/README.md b/common/README.md index 568a2396..41223529 100644 --- a/common/README.md +++ b/common/README.md @@ -2,6 +2,35 @@ [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) +## Note + +This is the `main` branch of common and it assumes that the pattern is fully +multisource (meaning that any used charts from VP is actually referenced from +either a helm chart repository or quay repository). I.e. there are no helm +charts contained in this branch of common and there is no ansible code neither. + +The helm charts now live in separate repositories under the VP +[organization](https://github.com/validatedpatterns) on GitHub. The repositories are: + +- clustergroup-chart +- pattern-install-chart +- hashicorp-vault-chart +- golang-external-secrets-chart +- acm-chart +- letsencrypt-chart + +The ansible bits live in this [repository](https://github.com/validatedpatterns/rhvp.cluster_utils) + +In order to be able to use this "slimmed-down" main branch of common you *must* +use a 0.9.* clustergroup-chart that. Add the following to your `values-global.yaml`: + +```yaml +main: + multiSourceConfig: + enabled: true + clusterGroupChartVersion: 0.9.* +``` + ## Start Here This repository is never used as standalone. It is usually imported in each pattern as a subtree. @@ -14,7 +43,7 @@ do it manually by doing the following: ```sh git remote add -f upstream-common https://github.com/validatedpatterns/common.git -git merge -s subtree -Xtheirs -Xsubtree=common upstream-common/ha-vault +git merge -s subtree -Xtheirs -Xsubtree=common upstream-common/main ``` ## Secrets diff --git a/common/acm/.github/workflows/update-helm-repo.yml b/common/acm/.github/workflows/update-helm-repo.yml deleted file mode 100644 index c12af2b5..00000000 --- a/common/acm/.github/workflows/update-helm-repo.yml +++ /dev/null @@ -1,29 +0,0 @@ -# This invokes the workflow named 'publish-charts' in the umbrella repo -# It expects to have a secret called CHARTS_REPOS_TOKEN which contains -# the GitHub token that has permissions to invoke workflows and commit code -# inside the umbrella-repo. -# The following fine-grained permissions were used in testing and were limited -# to the umbrella repo only: -# - Actions: r/w -# - Commit statuses: r/w -# - Contents: r/w -# - Deployments: r/w -# - Pages: r/w - -name: vp-patterns/update-helm-repo -on: - push: - tags: - - 'v[0-9]+.[0-9]+.[0-9]+' - -jobs: - helmlint: - uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 - permissions: - contents: read - - update-helm-repo: - needs: [helmlint] - uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 - permissions: read-all - secrets: inherit diff --git a/common/acm/.helmignore b/common/acm/.helmignore deleted file mode 100644 index b25c15b8..00000000 --- a/common/acm/.helmignore +++ /dev/null @@ -1 +0,0 @@ -*~ diff --git a/common/acm/Chart.yaml b/common/acm/Chart.yaml deleted file mode 100644 index 3a7663b4..00000000 --- a/common/acm/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -description: A Helm chart to configure Advanced Cluster Manager for OpenShift. -keywords: -- pattern -name: acm -version: 0.1.1 diff --git a/common/acm/README.md b/common/acm/README.md deleted file mode 100644 index 56b39ae3..00000000 --- a/common/acm/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Validated Patterns ACM chart - -This chart is used to set up ACM in [Validated Patterns](https://validatedpatterns.io) - -Please send PRs [here](https://github.com/validatedpatterns/common) diff --git a/common/acm/templates/_helpers.tpl b/common/acm/templates/_helpers.tpl deleted file mode 100644 index 8302457a..00000000 --- a/common/acm/templates/_helpers.tpl +++ /dev/null @@ -1,57 +0,0 @@ -{{/* -Default always defined valueFiles to be included when pushing the cluster wide argo application via acm -*/}} -{{- define "acm.app.policies.valuefiles" -}} -- "/values-global.yaml" -- "/values-{{ .name }}.yaml" -- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml' -- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml' -- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml' -# We cannot use $.Values.global.clusterVersion because that gets resolved to the -# hub's cluster version, whereas we want to include the spoke cluster version -- '/values-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml' -{{- end }} {{- /*acm.app.policies.valuefiles */}} - -{{- define "acm.app.policies.multisourcevaluefiles" -}} -- "$patternref/values-global.yaml" -- "$patternref/values-{{ .name }}.yaml" -- '$patternref/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml' -- '$patternref/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml' -- '$patternref/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml' -# We cannot use $.Values.global.clusterVersion because that gets resolved to the -# hub's cluster version, whereas we want to include the spoke cluster version -- '$patternref/values-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml' -{{- end }} {{- /*acm.app.policies.multisourcevaluefiles */}} - -{{- define "acm.app.policies.helmparameters" -}} -- name: global.repoURL - value: {{ $.Values.global.repoURL }} -- name: global.targetRevision - value: {{ $.Values.global.targetRevision }} -- name: global.namespace - value: $ARGOCD_APP_NAMESPACE -- name: global.pattern - value: {{ $.Values.global.pattern }} -- name: global.hubClusterDomain - value: {{ $.Values.global.hubClusterDomain }} -- name: global.localClusterDomain - value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}` }}' -- name: global.clusterDomain - value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}` }}' -- name: global.clusterVersion - value: '{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}' -- name: global.localClusterName - value: '{{ `{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}` }}' -- name: global.clusterPlatform - value: {{ $.Values.global.clusterPlatform }} -- name: global.multiSourceSupport - value: {{ $.Values.global.multiSourceSupport | quote }} -- name: global.multiSourceRepoUrl - value: {{ $.Values.global.multiSourceRepoUrl }} -- name: global.multiSourceTargetRevision - value: {{ $.Values.global.multiSourceTargetRevision }} -- name: global.privateRepo - value: {{ $.Values.global.privateRepo | quote }} -- name: global.experimentalCapabilities - value: {{ $.Values.global.experimentalCapabilities }} -{{- end }} {{- /*acm.app.policies.helmparameters */}} diff --git a/common/acm/templates/multiclusterhub.yaml b/common/acm/templates/multiclusterhub.yaml deleted file mode 100644 index a4e8b89b..00000000 --- a/common/acm/templates/multiclusterhub.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- $channel := "" }} -{{- if .Values.acm.mce_operator.channel }} -{{- $channel = printf ",\"channel\": \"%s\"" .Values.acm.mce_operator.channel }} -{{- end }} -apiVersion: operator.open-cluster-management.io/v1 -kind: MultiClusterHub -metadata: - name: multiclusterhub - namespace: open-cluster-management - annotations: - argocd.argoproj.io/sync-wave: "-1" - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "{{ default "redhat-operators" .Values.acm.mce_operator.source }}" {{- $channel }} }' -spec: {} diff --git a/common/acm/templates/policies/acm-hub-ca-policy.yaml b/common/acm/templates/policies/acm-hub-ca-policy.yaml deleted file mode 100644 index 5759247c..00000000 --- a/common/acm/templates/policies/acm-hub-ca-policy.yaml +++ /dev/null @@ -1,226 +0,0 @@ -# This pushes out the HUB's Certificate Authorities on to the imported clusters -{{- if .Values.clusterGroup.isHubCluster }} -{{- if (eq (((.Values.global).secretStore).backend) "vault") }} ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-hub-ca-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-hub-ca-config-policy - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - apiVersion: v1 - type: Opaque - metadata: - name: hub-ca - namespace: golang-external-secrets - data: - hub-kube-root-ca.crt: '{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}` }}' - hub-openshift-service-ca.crt: '{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}` }}' - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: imperative - data: - hub-kube-root-ca.crt: | - {{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }} - hub-openshift-service-ca.crt: | - {{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}` }} ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-hub-ca-policy-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-hub-ca-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-hub-ca-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-hub-ca-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-openshift-gitops-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: openshift-gitops - data: - hub-kube-root-ca.crt: | - {{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }} - hub-openshift-service-ca.crt: | - {{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}` }} ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-openshift-gitops-policy-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-openshift-gitops-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-openshift-gitops-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' - -{{- end }}{{/* if (eq (((.Values.global).secretStore).backend) "vault") */}} -{{- range .Values.clusterGroup.managedClusterGroups }} -{{- $group := . }} -{{- if not .hostedArgoSites }} ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-{{ .name }}-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-{{ .name }}-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: {{ $.Values.global.pattern }}-{{ .name }} - data: - hub-kube-root-ca.crt: | - {{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }} - hub-openshift-service-ca.crt: | - {{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}` }} ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-{{ .name }}-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-{{ .name }}-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-{{ .name }}-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-{{ .name }}-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' -{{- end }}{{/* if not .hostedArgoSites */}} -{{- end }}{{/* range .Values.clusterGroup.managedClusterGroups */}} -{{- end }}{{/* isHubCluster */}} diff --git a/common/acm/templates/policies/application-policies.yaml b/common/acm/templates/policies/application-policies.yaml deleted file mode 100644 index fd7c2a3f..00000000 --- a/common/acm/templates/policies/application-policies.yaml +++ /dev/null @@ -1,179 +0,0 @@ -# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io -{{- range .Values.clusterGroup.managedClusterGroups }} -{{- $group := . }} -{{- if not .hostedArgoSites }} -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: {{ .name }}-clustergroup-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: {{ .name }}-clustergroup-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1alpha1 - kind: Application - metadata: - name: {{ $.Values.global.pattern }}-{{ .name }} - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground - spec: - project: default - {{- if $.Values.global.multiSourceSupport }} - sources: - - repoURL: {{ coalesce .repoURL $.Values.global.repoURL }} - targetRevision: {{ coalesce .targetRevision $.Values.global.targetRevision }} - ref: patternref - - repoURL: {{ $.Values.global.multiSourceRepoUrl }} - targetRevision: {{ $.Values.global.multiSourceTargetRevision }} - chart: clustergroup - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - {{- range $k, $v := $.Values.extraParametersNested }} - {{ $k }}: {{ printf "%s" $v | quote }} - {{- end }} - valueFiles: - {{- include "acm.app.policies.multisourcevaluefiles" . | nindent 24 }} - {{- range $valueFile := .extraValueFiles }} - - {{ $valueFile | quote }} - {{- end }} - parameters: - {{- include "acm.app.policies.helmparameters" $ | nindent 24 }} - - name: clusterGroup.name - value: {{ $group.name }} - {{- range $k, $v := $.Values.extraParametersNested }} - - name: {{ $k }} - value: {{ printf "%s" $v | quote }} - {{- end }} - {{- range .helmOverrides }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - {{- if .fileParameters }} - fileParameters: - {{- range .fileParameters }} - - name: {{ .name }} - path: {{ .path }} - {{- end }} - {{- end }} - - {{- else }} - source: - repoURL: {{ coalesce .repoURL $.Values.global.repoURL }} - targetRevision: {{ coalesce .targetRevision $.Values.global.targetRevision }} - path: {{ default "common/clustergroup" .path }} - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - {{- range $k, $v := $.Values.extraParametersNested }} - {{ $k }}: {{ printf "%s" $v | quote }} - {{- end }} - valueFiles: - {{- include "acm.app.policies.valuefiles" . | nindent 22 }} - {{- range $valueFile := .extraValueFiles }} - - {{ $valueFile | quote }} - {{- end }} - parameters: - {{- include "acm.app.policies.helmparameters" $ | nindent 22 }} - - name: clusterGroup.name - value: {{ $group.name }} - {{- range $k, $v := $.Values.extraParametersNested }} - - name: {{ $k }} - value: {{ printf "%s" $v | quote }} - {{- end }} - {{- range .helmOverrides }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - {{- if .fileParameters }} - fileParameters: - {{- range .fileParameters }} - - name: {{ .name }} - path: {{ .path }} - {{- end }} - {{- end }} - {{- end }}{{/* if $.Values.global.multiSourceSupport */}} - destination: - server: https://kubernetes.default.svc - namespace: {{ $.Values.global.pattern }}-{{ .name }} - syncPolicy: - automated: - prune: false - selfHeal: true - retry: - limit: {{ default 20 $.Values.global.options.applicationRetryLimit }} - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: {{ .name }}-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: {{ .name }}-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: {{ .name }}-clustergroup-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: {{ .name }}-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - {{- if .clusterSelector }} - clusterSelector: {{ .clusterSelector | toPrettyJson }} - {{- else if (not $group.acmlabels) }} - clusterSelector: - matchLabels: - clusterGroup: {{ $group.name }} - {{- else if eq (len $group.acmlabels) 0 }} - clusterSelector: - matchLabels: - clusterGroup: {{ $group.name }} - {{- else }} - clusterSelector: - matchLabels: - {{- range .acmlabels }} - {{ .name }}: {{ .value }} - {{- end }} - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/common/acm/templates/policies/ocp-gitops-policy.yaml b/common/acm/templates/policies/ocp-gitops-policy.yaml deleted file mode 100644 index 753e4447..00000000 --- a/common/acm/templates/policies/ocp-gitops-policy.yaml +++ /dev/null @@ -1,335 +0,0 @@ -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - # This is an auto-generated file. DO NOT EDIT - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: '' - spec: - channel: {{ default "gitops-1.13" .Values.main.gitops.channel }} - installPlanApproval: Automatic - name: openshift-gitops-operator - source: {{ default "redhat-operators" .Values.main.gitops.operatorSource }} - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: "*" - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# This policy depends on openshift-gitops-policy and the reason is that we need to be -# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance -# because the initcontainer references the trusted-ca-bundle and if it starts without the -# configmap being there we risk running an argo instances that won't trust public CAs -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy-argocd - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - dependencies: - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: openshift-gitops-policy - namespace: open-cluster-management - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: hub-argo-ca-openshift-gitops-policy - namespace: open-cluster-management - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config-argocd - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1beta1 - kind: ArgoCD - metadata: - name: openshift-gitops - namespace: openshift-gitops - spec: - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - webhookServer: - ingress: - enabled: false - route: - enabled: false - controller: - processors: {} - resources: - limits: - cpu: "2" - memory: 2Gi - requests: - cpu: 250m - memory: 1Gi - sharding: {} - grafana: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - route: - enabled: false - ha: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - monitoring: - enabled: false - notifications: - enabled: false - prometheus: - enabled: false - ingress: - enabled: false - route: - enabled: false - rbac: - defaultPolicy: "" - policy: |- - g, system:cluster-admins, role:admin - g, cluster-admins, role:admin - scopes: '[groups]' - redis: - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt - || true - image: registry.redhat.io/ubi9/ubi-minimal:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resourceExclusions: |- - - apiGroups: - - tekton.dev - clusters: - - '*' - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - {{- if and (.Values.global.argocdServer) (.Values.global.argocdServer.route) (.Values.global.argocdServer.route.tls) }} - tls: - insecureEdgeTerminationPolicy: {{ default "Redirect" .Values.global.argocdServer.route.tls.insecureEdgeTerminationPolicy }} - termination: {{ default "reencrypt" .Values.global.argocdServer.route.tls.termination }} - {{- end }} - service: - type: "" - sso: - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - provider: dex - tls: - ca: {} ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement-argocd - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy-argocd - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' diff --git a/common/acm/templates/policies/private-repo-policies.yaml b/common/acm/templates/policies/private-repo-policies.yaml deleted file mode 100644 index 0b7db0da..00000000 --- a/common/acm/templates/policies/private-repo-policies.yaml +++ /dev/null @@ -1,161 +0,0 @@ -# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace -# to the "open-cluster-management" via the "private-hub-policy" -# -# Then we copy the secret from the "open-cluster-management" namespace to the -# managed clusters "openshift-gitops" instance -# -# And we also copy the same secret to the namespaced argo's namespace -{{ if $.Values.global.privateRepo }} -{{ if .Values.clusterGroup.isHubCluster }} ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: private-hub-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: private-hub-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - apiVersion: v1 - type: Opaque - metadata: - name: vp-private-repo-credentials - namespace: open-cluster-management - labels: - argocd.argoproj.io/secret-type: repository - data: '{{ `{{copySecretData "openshift-gitops" "vp-private-repo-credentials"}}` }}' ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: private-hub-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: private-hub-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: private-hub-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: private-hub-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: In - values: - - 'true' ---- -{{ end }}{{- /* if .Values.clusterGroup.isHubCluster */}} -{{- range .Values.clusterGroup.managedClusterGroups }} -{{- $group := . }} -{{- if not .hostedArgoSites }} -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: private-{{ .name }}-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: private-{{ .name }}-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - apiVersion: v1 - type: Opaque - metadata: - name: vp-private-repo-credentials - namespace: openshift-gitops - labels: - argocd.argoproj.io/secret-type: repository - data: '{{ `{{hub copySecretData "open-cluster-management" "vp-private-repo-credentials" hub}}` }}' - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - apiVersion: v1 - type: Opaque - metadata: - name: vp-private-repo-credentials - namespace: {{ $.Values.global.pattern }}-{{ .name }} - labels: - argocd.argoproj.io/secret-type: repository - data: '{{ `{{hub copySecretData "open-cluster-management" "vp-private-repo-credentials" hub}}` }}' ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: private-{{ .name }}-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: private-{{ .name }}-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: private-{{ .name }}-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: private-{{ .name }}-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' -{{- end }}{{- /* if not .hostedArgoSites */}} -{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}} -{{- end }}{{- /* if $.Values.global.privateRepo */}} diff --git a/common/acm/templates/provision/_install-config.tpl b/common/acm/templates/provision/_install-config.tpl deleted file mode 100644 index b0336627..00000000 --- a/common/acm/templates/provision/_install-config.tpl +++ /dev/null @@ -1,66 +0,0 @@ -{{- define "cluster.install-config" -}} - -{{- $type := "None" }} -{{- $cloud := "None" }} -{{- $region := "None" }} - -{{- if .platform.aws }} -{{- $cloud = "aws" }} -{{- $region = .platform.aws.region }} -{{- $type = "m5.xlarge" }} -{{- else if .platform.azure }} -{{- $cloud = "azure" }} -{{- $region = .platform.azure.region }} -{{- $type = "Standard_D8s_v3" }} -{{- end }} - -apiVersion: v1 -metadata: - name: '{{ .name }}' -baseDomain: {{ .baseDomain }} -controlPlane: - architecture: amd64 - hyperthreading: Enabled - name: controlPlane - {{- if .controlPlane }} - replicas: {{ default 3 .controlPlane.count }} - {{- if .controlPlane.platform }} - platform: - {{- toYaml .controlPlane.platform | nindent 4 }} - {{- end }} - {{- else }} - replicas: 3 - platform: - {{ $cloud }}: - type: {{ $type }} - {{- end }} -compute: -- hyperthreading: Enabled - architecture: amd64 - name: 'worker' - {{- if .workers }} - replicas: {{ default 0 .workers.count }} - {{- if .workers.platform }} - platform: - {{- toYaml .workers.platform | nindent 4 }} - {{- end }} - {{- else }} - replicas: 3 - platform: - {{ $cloud }}: - type: {{ $type }} - {{- end }} -networking: - clusterNetwork: - - cidr: 10.128.0.0/14 - hostPrefix: 23 - machineNetwork: - - cidr: 10.0.0.0/16 - networkType: OVNKubernetes - serviceNetwork: - - 172.30.0.0/16 -platform: -{{- toYaml .platform | nindent 2 }} -pullSecret: "" # skip, hive will inject based on it's secrets -sshKey: "" # skip, hive will inject based on it's secrets -{{- end -}} diff --git a/common/acm/templates/provision/clusterdeployment.yaml b/common/acm/templates/provision/clusterdeployment.yaml deleted file mode 100644 index f7f71a52..00000000 --- a/common/acm/templates/provision/clusterdeployment.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{- range .Values.clusterGroup.managedClusterGroups }} -{{- $group := . }} - -{{- range $group.clusterDeployments}} -{{ $cluster := . }} - -{{- if (eq $cluster.name nil) }} -{{- fail (printf "managedClusterGroup clusterDeployment cluster name is empty: %s" $cluster) }} -{{- end }} -{{- if (eq $group.name nil) }} -{{- fail (printf "managedClusterGroup clusterDeployment group name is empty: %s" $cluster) }} -{{- end }} - -{{- $deploymentName := print $cluster.name "-" $group.name }} - -{{- $cloud := "None" }} -{{- $region := "None" }} - -{{- if $cluster.platform.aws }} -{{- $cloud = "aws" }} -{{- $region = $cluster.platform.aws.region }} -{{- else if $cluster.platform.azure }} -{{- $cloud = "azure" }} -{{- $region = $cluster.platform.azure.region }} -{{- end }} - ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ $deploymentName }} - ---- -apiVersion: hive.openshift.io/v1 -kind: ClusterDeployment -metadata: - name: {{ $deploymentName }} - namespace: {{ $deploymentName }} - labels: - vendor: OpenShift - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - baseDomain: {{ $cluster.baseDomain }} - clusterName: {{ $deploymentName }} - installAttemptsLimit: 1 - platform: - {{ $cloud }}: - credentialsSecretRef: - name: {{ $deploymentName }}-creds - region: {{ $region }} - provisioning: - installConfigSecretRef: - name: {{ $deploymentName }}-install-config - sshPrivateKeySecretRef: - name: {{ $deploymentName }}-ssh-private-key - imageSetRef: - name: img{{ $cluster.openshiftVersion }}-multi-appsub - pullSecretRef: - name: {{ $deploymentName }}-pull-secret - ---- -apiVersion: cluster.open-cluster-management.io/v1 -kind: ManagedCluster -metadata: - labels: - cluster.open-cluster-management.io/clusterset: {{ $group.name }} - {{- if (not $group.acmlabels) }} - clusterGroup: {{ $group.name }} - {{- else if eq (len $group.acmlabels) 0 }} - clusterGroup: {{ $group.name }} - {{- else }} - {{- range $group.acmlabels }} - {{ .name }}: {{ .value }} - {{- end }} - {{- end }} - name: {{ $deploymentName }} - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - hubAcceptsClient: true -{{- end }}{{- /* range $group.clusterDeployments */}} -{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}} diff --git a/common/acm/templates/provision/clusterpool.yaml b/common/acm/templates/provision/clusterpool.yaml deleted file mode 100644 index d95905f7..00000000 --- a/common/acm/templates/provision/clusterpool.yaml +++ /dev/null @@ -1,82 +0,0 @@ -{{- range .Values.clusterGroup.managedClusterGroups }} -{{- $group := . }} -{{- range .clusterPools }} - -{{- $pool := . }} -{{- $poolName := print .name "-" $group.name }} - -{{- $cloud := "None" }} -{{- $region := "None" }} -{{- $numClusters := 0 }} - -{{- if .platform.aws }} -{{- $cloud = "aws" }} -{{- $region = .platform.aws.region }} -{{- else if .platform.azure }} -{{- $cloud = "azure" }} -{{- $region = .platform.azure.region }} -{{- end }} - -{{- if .clusters }} -{{- $numClusters = len .clusters }} -{{- end }} - -apiVersion: hive.openshift.io/v1 -kind: ClusterPool -metadata: - name: "{{ $poolName }}" - annotations: - argocd.argoproj.io/sync-wave: "10" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - cloud: {{ $cloud }} - region: '{{ $region }}' - vendor: OpenShift - cluster.open-cluster-management.io/clusterset: {{ .name }} -spec: - {{- if .size }} - size: {{ .size }} - {{- else }} - size: {{ $numClusters }} - {{- end }} - runningCount: {{ $numClusters }} - baseDomain: {{ .baseDomain }} - installConfigSecretTemplateRef: - name: {{ $poolName }}-install-config - imageSetRef: - name: img{{ .openshiftVersion }}-multi-appsub - pullSecretRef: - name: {{ $poolName }}-pull-secret - skipMachinePools: true # Disable MachinePool as using custom install-config - platform: - {{ $cloud }}: - credentialsSecretRef: - name: {{ $poolName }}-creds - region: {{ $region }} ---- -{{- range .clusters }} -apiVersion: hive.openshift.io/v1 -kind: ClusterClaim -metadata: - name: '{{ lower . }}-{{ lower $group.name }}' - annotations: - argocd.argoproj.io/sync-wave: "20" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster.open-cluster-management.io/createmanagedcluster: "true" - labels: - clusterClaimName: {{ lower . }}-{{ lower $group.name }} - {{- if (not $group.acmlabels) }} - clusterGroup: {{ $group.name }} - {{- else if eq (len $group.acmlabels) 0 }} - clusterGroup: {{ $group.name }} - {{- else }} - {{- range $group.acmlabels }} - {{ .name }}: {{ .value }} - {{- end }} - {{- end }} -spec: - clusterPoolName: {{ $poolName }} ---- -{{- end }}{{- /* range .range clusters */}} -{{- end }}{{- /* range .clusterPools */}} -{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}} diff --git a/common/acm/templates/provision/managedclusterset.yaml b/common/acm/templates/provision/managedclusterset.yaml deleted file mode 100644 index 2c8eaffa..00000000 --- a/common/acm/templates/provision/managedclusterset.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- range .Values.clusterGroup.managedClusterGroups }} -{{- if or .clusterPools .clusterDeployments }}{{- /* We only create ManagedClusterSets if there are clusterPools or clusterDeployments defined */}} ---- -apiVersion: cluster.open-cluster-management.io/v1beta2 -kind: ManagedClusterSet -metadata: - annotations: - cluster.open-cluster-management.io/submariner-broker-ns: {{ .name }}-broker - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: {{ .name }} - -{{- end }}{{- /* if .clusterPools) */}} -{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}} diff --git a/common/acm/templates/provision/secrets-aws.yaml b/common/acm/templates/provision/secrets-aws.yaml deleted file mode 100644 index 911aff4a..00000000 --- a/common/acm/templates/provision/secrets-aws.yaml +++ /dev/null @@ -1,111 +0,0 @@ -{{- range .Values.clusterGroup.managedClusterGroups }} -{{- $group := . }} -{{- range .clusterPools }} -{{- $poolName := print .name "-" $group.name }} -{{- if .platform.aws }} ---- -{{- template "externalsecret.aws.creds" (dict "name" $poolName "context" . "secretStore" $.Values.secretStore) }} ---- -{{- template "externalsecret.aws.infra-creds" (dict "name" $poolName "context" . "secretStore" $.Values.secretStore) }} - -{{- end }}{{- /* if .platform.aws */}} -{{- end }}{{- /* range .clusterPools */}} - -{{- range .clusterDeployments }} -{{- $deploymentName := print .name "-" $group.name }} -{{- if .platform.aws }} ---- -{{- template "externalsecret.aws.creds" (dict "name" $deploymentName "context" . "secretStore" $.Values.secretStore "namespaced" true) }} ---- -{{- template "externalsecret.aws.infra-creds" (dict "name" $deploymentName "context" . "secretStore" $.Values.secretStore "namespaced" true) }} - -{{- end }}{{- /* if .platform.aws */}} -{{- end }}{{- /* range .clusterDeployments */}} - -{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}} - -{{- define "externalsecret.aws.creds" }} -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .name }}-creds - {{- if .namespaced }} - namespace: {{ .name }} - {{- end }} -spec: - dataFrom: - - extract: - # Expects entries called: aws_access_key_id and aws_secret_access_key - key: {{ default "secret/data/hub/aws" .context.awsKeyPath }} - refreshInterval: 24h0m0s - secretStoreRef: - name: {{ .secretStore.name }} - kind: {{ .secretStore.kind }} - target: - name: {{ .name }}-creds - creationPolicy: Owner - template: - type: Opaque -{{- end}} - -{{- define "externalsecret.aws.infra-creds"}} -# For use when manually creating clusters with ACM -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .name }}-infra-creds - {{- if .namespaced }} - namespace: {{ .name }} - {{- end }} -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: {{ default "secret/data/hub/openshiftPullSecret" .context.pullSecretKeyPath }} - property: content - - secretKey: awsKeyId - remoteRef: - key: {{ default "secret/data/hub/aws" .context.awsKeyPath }} - property: aws_access_key_id - - secretKey: awsAccessKey - remoteRef: - key: {{ default "secret/data/hub/aws" .context.awsKeyPath }} - property: aws_secret_access_key - - secretKey: sshPublicKey - remoteRef: - key: {{ default "secret/data/hub/publickey" .context.sshPublicKeyPath }} - property: content - - secretKey: sshPrivateKey - remoteRef: - key: {{ default "secret/data/hub/privatekey" .context.sshPrivateKeyPath }} - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: {{ .secretStore.name }} - kind: {{ .secretStore.kind }} - target: - name: {{ .name }}-infra-creds - creationPolicy: Owner - template: - type: Opaque - metadata: - labels: - cluster.open-cluster-management.io/credentials: "" - cluster.open-cluster-management.io/type: aws - data: - baseDomain: "{{ .context.baseDomain }}" - pullSecret: |- - {{ "{{ .openshiftPullSecret | toString }}" }} - aws_access_key_id: |- - {{ "{{ .awsKeyId | toString }}" }} - aws_secret_access_key: |- - {{ "{{ .awsAccessKey | toString }}" }} - ssh-privatekey: |- - {{ "{{ .sshPrivateKey | toString }}" }} - ssh-publickey: |- - {{ "{{ .sshPublicKey | toString }}" }} - httpProxy: "" - httpsProxy: "" - noProxy: "" - additionalTrustBundle: "" -{{- end}} diff --git a/common/acm/templates/provision/secrets-azure.yaml b/common/acm/templates/provision/secrets-azure.yaml deleted file mode 100644 index 1ef5842c..00000000 --- a/common/acm/templates/provision/secrets-azure.yaml +++ /dev/null @@ -1,113 +0,0 @@ -{{- range .Values.clusterGroup.managedClusterGroups }} -{{- $group := . }} -{{- range .clusterPools }} -{{- $poolName := print .name "-" $group.name }} -{{- if .platform.azure }} ---- -{{- template "externalsecret.azure.creds" (dict "name" $poolName "context" . "secretStore" $.Values.secretStore) }} ---- -{{- template "externalsecret.azure.infra-creds" (dict "name" $poolName "context" . "secretStore" $.Values.secretStore) }} - ---- -{{- end }}{{- /* if .platform.azure */}} -{{- end }}{{- /* range .clusterPools */}} - -{{- range .clusterDeployments }} -{{- $deploymentName := print .name "-" $group.name }} -{{- if .platform.azure }} ---- -{{- template "externalsecret.azure.creds" (dict "name" $deploymentName "context" . "secretStore" $.Values.secretStore "namespaced" true) }} ---- -{{- template "externalsecret.azure.infra-creds" (dict "name" $deploymentName "context" . "secretStore" $.Values.secretStore "namespaced" true) }} - - -{{- end }}{{- /* if .platform.azure */}} -{{- end }}{{- /* range .clusterPools */}} - -{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}} - -{{- define "externalsecret.azure.creds" }} -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .name }}-creds - {{- if .namespaced }} - namespace: {{ .name }} - {{- end }} -spec: - data: - - secretKey: azureOsServicePrincipal - remoteRef: - key: {{ default "secret/data/hub/azureOsServicePrincipal" .context.azureKeyPath }} - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: {{ .secretStore.name }} - kind: {{ .secretStore.kind }} - target: - name: {{ .name }}-creds - creationPolicy: Owner - template: - type: Opaque - data: - osServicePrincipal.json: |- - {{ "{{ .azureOsServicePrincipal | toString }}" }} -{{- end }} - -{{- define "externalsecret.azure.infra-creds"}} -# For use when manually creating clusters with ACM -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .name }}-infra-creds - {{- if .namespaced }} - namespace: {{ .name }} - {{- end }} -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: {{ default "secret/data/hub/openshiftPullSecret" .context.pullSecretKeyPath }} - property: content - - secretKey: sshPublicKey - remoteRef: - key: {{ default "secret/data/hub/publickey" .context.sshPublicKeyPath }} - property: content - - secretKey: sshPrivateKey - remoteRef: - key: {{ default "secret/data/hub/privatekey" .context.sshPrivateKeyPath }} - property: content - - secretKey: azureOsServicePrincipal - remoteRef: - key: {{ default "secret/data/hub/azureOsServicePrincipal" .context.azureKeyPath }} - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: {{ .secretStore.name }} - kind: {{ .secretStore.kind }} - target: - name: {{ .name }}-infra-creds - creationPolicy: Owner - template: - type: Opaque - metadata: - labels: - cluster.open-cluster-management.io/credentials: "" - cluster.open-cluster-management.io/type: aws - data: - cloudName: AzurePublicCloud - osServicePrincipal.json: |- - {{ "{{ .azureOsServicePrincipal | toString }}" }} - baseDomain: "{{ .context.baseDomain }}" - baseDomainResourceGroupName: "{{ .context.platform.azure.baseDomainResourceGroupName | toString }}" - pullSecret: |- - {{ "{{ .openshiftPullSecret | toString }}" }} - ssh-privatekey: |- - {{ "{{ .sshPrivateKey | toString }}" }} - ssh-publickey: |- - {{ "{{ .sshPublicKey | toString }}" }} - httpProxy: "" - httpsProxy: "" - noProxy: "" - additionalTrustBundle: "" -{{- end }} diff --git a/common/acm/templates/provision/secrets-common.yaml b/common/acm/templates/provision/secrets-common.yaml deleted file mode 100644 index 6901c79c..00000000 --- a/common/acm/templates/provision/secrets-common.yaml +++ /dev/null @@ -1,95 +0,0 @@ -{{- range .Values.clusterGroup.managedClusterGroups }} -{{- $group := . }} - -{{- range .clusterPools }} -{{- $poolName := print .name "-" $group.name }} ---- -{{- template "secret.install-config" (dict "name" $poolName "context" .) }} ---- -{{- template "externalsecret.pull-secret" (dict "name" $poolName "context" . "secretStore" $.Values.secretStore) }} ---- -{{- template "externalsecret.ssh.private.key" (dict "name" $poolName "context" . "secretStore" $.Values.secretStore) }} -{{- end }}{{- /* range .clusterPools */}} - -{{- range .clusterDeployments }} -{{- $deploymentName := print .name "-" $group.name }} ---- -{{- template "secret.install-config" (dict "name" $deploymentName "context" . "namespaced" true) }} ---- -{{- template "externalsecret.pull-secret" (dict "name" $deploymentName "context" . "secretStore" $.Values.secretStore "namespaced" true) }} ---- -{{- template "externalsecret.ssh.private.key" (dict "name" $deploymentName "context" . "secretStore" $.Values.secretStore "namespaced" true) }} -{{- end }}{{- /* range .clusterDeplyments */}} - -{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}} - -{{- define "secret.install-config"}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .name }}-install-config - {{- if .namespaced }} - namespace: {{ .name }} - {{- end }} -data: - # Base64 encoding of install-config yaml - install-config.yaml: {{ include "cluster.install-config" .context | b64enc }} -type: Opaque -{{- end }} - -{{- define "externalsecret.pull-secret" }} -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .name }}-pull-secret - {{- if .namespaced }} - namespace: {{ .name }} - {{- end }} -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: {{ default "secret/data/hub/openshiftPullSecret" .context.pullSecretKeyPath }} - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: {{ .secretStore.name }} - kind: {{ .secretStore.kind }} - target: - name: {{ .name }}-pull-secret - creationPolicy: Owner - template: - type: kubernetes.io/dockerconfigjson - data: - .dockerconfigjson: |- - {{ "{{ .openshiftPullSecret | toString }}" }} -{{- end }} - - -{{- define "externalsecret.ssh.private.key" }} -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .name }}-ssh-private-key - {{- if .namespaced }} - namespace: {{ .name }} - {{- end }} -spec: - data: - - secretKey: sshPrivateKey - remoteRef: - key: {{ default "secret/data/hub/privatekey" .context.sshPrivateKeyPath }} - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: {{ .secretStore.name }} - kind: {{ .secretStore.kind }} - target: - name: {{ .name }}-ssh-private-key - creationPolicy: Owner - template: - type: Opaque - data: - ssh-privatekey: |- - {{ "{{ .sshPrivateKey | toString }}" }} -{{- end }} diff --git a/common/acm/test.yaml b/common/acm/test.yaml deleted file mode 100644 index 669daf07..00000000 --- a/common/acm/test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -clusterGroup: - managedClusterGroups: - exampleRegion: - name: region-one - - # Before enabling cluster provisioning, ensure AWS/Azure credentials and OCP - # pull secrets are defined in Vault. See values-secret.yaml.template - # - clusterPools: - exampleAWSPool: - name: aws-ap - openshiftVersion: 4.10.18 - baseDomain: blueprints.rhecoeng.com - platform: - aws: - region: ap-southeast-2 - clusters: - - One - exampleAzurePool: - name: azure-us - openshiftVersion: 4.10.18 - baseDomain: blueprints.rhecoeng.com - platform: - azure: - baseDomainResourceGroupName: dojo-dns-zones - region: eastus - clusters: - - Two - - Three - acmlabels: - - name: clusterGroup - value: region-one - helmOverrides: - - name: clusterGroup.isHubCluster - value: false diff --git a/common/acm/values.yaml b/common/acm/values.yaml deleted file mode 100644 index ff5777da..00000000 --- a/common/acm/values.yaml +++ /dev/null @@ -1,61 +0,0 @@ -main: - gitops: - channel: "gitops-1.13" - -global: - extraValueFiles: [] - pattern: none - repoURL: none - targetRevision: main - options: - applicationRetryLimit: 20 - secretStore: - backend: "vault" - -clusterGroup: - subscriptions: - acm: - source: redhat-operators - managedClusterGroups: -# testRegion: -# name: region-one -# clusterPools: -# testPool: -# name: spoke -# openshiftVersion: 4.10.18 -# baseDomain: blueprints.rhecoeng.com -# platform: -# aws: -# region: ap-southeast-2 -# clusters: -# - spoke1 -# labels: -# - name: clusterGroup -# value: region-one -# testRegionTwo: -# name: region-two -# clusterDeployments: -# myFirstCluster: -# name: mcluster1 -# openshiftVersion: 4.10.18 -# baseDomain: blueprints.rhecoeng.com -# platform: -# azure: -# baseDomainResourceGroupName: dojo-dns-zones -# region: eastus -# labels: -# - name: clusterGroup -# value: region-two - -acm: - # Just used for IIB testing, drives the source and channel for the MCE - # subscription triggered by ACM - mce_operator: - source: redhat-operators - channel: null - - - -secretStore: - name: vault-backend - kind: ClusterSecretStore diff --git a/common/ansible/ansible.cfg b/common/ansible/ansible.cfg deleted file mode 100644 index 652feb98..00000000 --- a/common/ansible/ansible.cfg +++ /dev/null @@ -1,6 +0,0 @@ -[defaults] -localhost_warning=False -library=./plugins/modules:~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules -roles_path=./roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles -module_utils=~/.ansible/plugins/module_utils:./plugins/module_utils:/usr/share/ansible/plugins/module_utils -filter_plugins=~/.ansible/plugins/filter:./plugins/filter:/usr/share/ansible/plugins/filter diff --git a/common/ansible/playbooks/acm/acmhub-get-ca.yaml b/common/ansible/playbooks/acm/acmhub-get-ca.yaml deleted file mode 100644 index 770333ff..00000000 --- a/common/ansible/playbooks/acm/acmhub-get-ca.yaml +++ /dev/null @@ -1,53 +0,0 @@ -# This playbook fetches the hub cluster's CAbundle from ACM's objects -# and puts it in a secret inside the imperative namespace ---- -- name: ACM Get Hub CA - hosts: localhost - connection: local - gather_facts: false - become: false - vars: - ns: imperative - tasks: - - name: Find hub cluster - kubernetes.core.k8s_info: - kind: Secret - name: hub-kubeconfig-secret - namespace: open-cluster-management-agent - register: hub_cluster - - - name: Do nothing when no managed clusters are found - ansible.builtin.meta: end_play - when: hub_cluster['resources'][0]['data']['kubeconfig'] is not defined - - # FIXME(bandini) The assumption here is that there is a single hub cluster for each managed cluster - # - # oc extract secret/hub-kubeconfig-secret --keys=kubeconfig --to=- -n open-cluster-management-agent - # apiVersion: v1 - # clusters: - # - cluster: - # certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNakNDQWhxZ0F3SU... - # server: https://api.bandini-dc.blueprints.rhecoeng.com:6443 - # name: default-cluster - - name: Get hub cluster facts - ansible.builtin.set_fact: - # kubeconfig is just a b64-econded yaml - hub_cluster_kubeconfig: "{{ hub_cluster['resources'][0]['data']['kubeconfig'] | b64decode | from_yaml }}" - - - name: Set CA fact - ansible.builtin.set_fact: - # The .get() call is needed because the key has dashes in it - hub_cluster_ca: "{{ hub_cluster_kubeconfig.clusters[0].cluster.get('certificate-authority-data') }}" - - - name: Create secret with managed cluster's CA - kubernetes.core.k8s: - state: present - definition: - kind: Secret - apiVersion: v1 - metadata: - name: "hub" - namespace: "{{ ns }}" - data: - caBundle: "{{ hub_cluster_ca }}" - type: Opaque diff --git a/common/ansible/playbooks/auto-approve-installplans/auto-approve-installplans.yaml b/common/ansible/playbooks/auto-approve-installplans/auto-approve-installplans.yaml deleted file mode 100644 index 6b6802d4..00000000 --- a/common/ansible/playbooks/auto-approve-installplans/auto-approve-installplans.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# This playbook will watch for pending install plans of managed operators -# if they are in Manual and there's a startingCSV that must be installed ---- -- name: InstallPlan Auto-Approver - hosts: localhost - connection: local - gather_facts: false - become: false - - tasks: - - name: Get all installPlans from OpenShift - kubernetes.core.k8s_info: - api_version: operators.coreos.com/v1alpha1 - kind: InstallPlan - register: installplans - - - name: Get required CSVs from clusterGroup data - ansible.builtin.set_fact: - expected_csv: "{{ expected_csv | default([]) + [item.csv] }}" - when: item.csv | default(false) and - ((item.installPlanApproval | default("") == "Manual") or - (item.installPlanApproval | default("") == "" and global.options.installPlanApproval | default("") == "Manual")) - with_items: "{{ clusterGroup.subscriptions.values() }}" - - # TODO: loop over clusterGroup.subscriptions instead of installplans - # to allow certain control on the order of approvals - # IDEA: allow adding a per-installplan delay after the approval before - # moving forward to the next one - - name: Approve the missing installPlans - kubernetes.core.k8s_json_patch: - api_version: operators.coreos.com/v1alpha1 - kind: InstallPlan - name: "{{ item.metadata.name }}" - namespace: "{{ item.metadata.namespace }}" - patch: - - op: replace - path: /spec/approved - value: true - when: (item.spec.clusterServiceVersionNames | intersect(expected_csv | default([]))) | length > 0 - loop: "{{ installplans.resources }}" diff --git a/common/ansible/playbooks/hello-world/hello-world.yaml b/common/ansible/playbooks/hello-world/hello-world.yaml deleted file mode 100644 index c0a992a7..00000000 --- a/common/ansible/playbooks/hello-world/hello-world.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# This playbook is a simple hello-world playbook to show capabilities -# It creates a config-map inside the imperative namespace containing -# the helm variable "global.clusterDomain" ---- -- name: Hello World Example - hosts: localhost - connection: local - gather_facts: false - become: false - vars: - ns: imperative - tasks: - - name: Create secret with managed cluster's CA - kubernetes.core.k8s: - state: present - definition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: "hello-world" - namespace: "{{ ns }}" - data: - hello-cluster-domain: "{{ global['clusterDomain'] }}" diff --git a/common/ansible/playbooks/iib-ci/iib-ci.yaml b/common/ansible/playbooks/iib-ci/iib-ci.yaml deleted file mode 100644 index dc6e45cb..00000000 --- a/common/ansible/playbooks/iib-ci/iib-ci.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# This playbook invokes the iib_ci role ---- -- name: IIB CI playbook - hosts: localhost - connection: local - gather_facts: false - roles: - - iib_ci diff --git a/common/ansible/playbooks/iib-ci/lookup.yml b/common/ansible/playbooks/iib-ci/lookup.yml deleted file mode 100644 index f39b8ea3..00000000 --- a/common/ansible/playbooks/iib-ci/lookup.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- name: IIB CI playbook - hosts: localhost - connection: local - gather_facts: false - vars: - rh_url: "https://datagrepper.engineering.redhat.com/raw?topic=/topic/VirtualTopic.eng.ci.redhat-container-image.index.built&delta=15780000&contains=%s" - operator: "openshift-gitops-1-gitops-operator-bundle" - ocp_versions: {} - tasks: - - name: Set url fact - ansible.builtin.set_fact: - url: "{{ rh_url | format(operator) }}" - - - name: Fetch URI - ansible.builtin.uri: - url: "{{ url }}" - return_content: true - register: jsoncontent - - - name: Setting content - ansible.builtin.set_fact: - content: "{{ jsoncontent['content'] | from_json }}" - - - name: Set messages fact - ansible.builtin.set_fact: - raw_messages: "{{ content.raw_messages }}" - - # The when clause is because if we already have an IIB for an ocp version we do not - # want to override it (combine will always override existing keys) - # Reason for this is that the messages are sorted last first and we only want the - # last entries - - name: Set output - ansible.builtin.set_fact: - ocp_versions: "{{ ocp_versions | combine({item['msg']['index']['ocp_version']: {'indeximage': item['msg']['index']['index_image'], 'bundleimage': item['msg']['index']['added_bundle_images'][0]}}) }}" - loop: "{{ raw_messages }}" - when: item['msg']['index']['ocp_version'] is not in ocp_versions - loop_control: - label: "{{ item['msg']['index']['ocp_version'] }}" - - - name: Print OCP versions for "{{ operator }}" - ansible.builtin.debug: - msg: "{{ item.key }} -> {{ item.value }}" - loop: "{{ ocp_versions | dict2items }}" - loop_control: - label: "{{ item.key }}" diff --git a/common/ansible/playbooks/k8s_secrets/k8s_secrets.yml b/common/ansible/playbooks/k8s_secrets/k8s_secrets.yml deleted file mode 100644 index 989a498a..00000000 --- a/common/ansible/playbooks/k8s_secrets/k8s_secrets.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Secrets parsing and direct loading - hosts: localhost - connection: local - gather_facts: false - roles: - - find_vp_secrets - - cluster_pre_check - - k8s_secret_utils diff --git a/common/ansible/playbooks/process_secrets/display_secrets_info.yml b/common/ansible/playbooks/process_secrets/display_secrets_info.yml deleted file mode 100644 index 4d972359..00000000 --- a/common/ansible/playbooks/process_secrets/display_secrets_info.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: Parse and display secrets - hosts: localhost - connection: local - gather_facts: false - vars: - secrets_backing_store: "vault" - tasks: - # Set the VALUES_SECRET environment variable to the file to parse - - name: Find and decrypt secrets if needed - ansible.builtin.include_role: - name: find_vp_secrets - - # find_vp_secrets will return a plaintext data structure called values_secrets_data - # This will allow us to determine schema version and which backend to use - - name: Determine how to load secrets - ansible.builtin.set_fact: - secrets_yaml: '{{ values_secrets_data | from_yaml }}' - - - name: Parse secrets data - no_log: '{{ override_no_log | default(true) }}' - parse_secrets_info: - values_secrets_plaintext: "{{ values_secrets_data }}" - secrets_backing_store: "{{ secrets_backing_store }}" - register: secrets_results - - - name: Display secrets data - ansible.builtin.debug: - var: secrets_results diff --git a/common/ansible/playbooks/process_secrets/process_secrets.yml b/common/ansible/playbooks/process_secrets/process_secrets.yml deleted file mode 100644 index ecc1b565..00000000 --- a/common/ansible/playbooks/process_secrets/process_secrets.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- name: Parse and load secrets - hosts: localhost - connection: local - gather_facts: false - vars: - secrets_role: 'vault_utils' - pattern_name: 'common' - pattern_dir: '.' - secrets_backing_store: 'vault' - tasks_from: 'push_parsed_secrets' - tasks: - - name: "Run secret-loading pre-requisites" - ansible.builtin.include_role: - name: '{{ item }}' - loop: - - cluster_pre_check - - find_vp_secrets - - # find_vp_secrets will return a plaintext data structure called values_secrets_data - # This will allow us to determine schema version and which backend to use - - name: Determine how to load secrets - ansible.builtin.set_fact: - secrets_yaml: '{{ values_secrets_data | from_yaml }}' - - - name: Parse secrets data - no_log: '{{ override_no_log | default(true) }}' - parse_secrets_info: - values_secrets_plaintext: "{{ values_secrets_data }}" - secrets_backing_store: "{{ secrets_backing_store }}" - register: secrets_results - - # Use the k8s secrets loader when explicitly requested - - name: Determine role to use to load secrets - ansible.builtin.set_fact: - secrets_role: 'k8s_secret_utils' - tasks_from: 'inject_k8s_secrets' - when: - - secrets_backing_store == "kubernetes" or secrets_backing_store == "none" - - secrets_yaml['version'] | default('2.0') >= '2.0' - - # secrets_role will have been changed from the default if needed - - name: Load secrets using designated role and tasks - ansible.builtin.include_role: - name: '{{ secrets_role }}' - tasks_from: '{{ tasks_from }}' - vars: - kubernetes_secret_objects: "{{ secrets_results['kubernetes_secret_objects'] }}" - vault_policies: "{{ secrets_results['vault_policies'] }}" - parsed_secrets: "{{ secrets_results['parsed_secrets'] }}" diff --git a/common/ansible/playbooks/vault/vault.yaml b/common/ansible/playbooks/vault/vault.yaml deleted file mode 100644 index b0da9405..00000000 --- a/common/ansible/playbooks/vault/vault.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Vault initialization - hosts: localhost - connection: local - gather_facts: false - roles: - - find_vp_secrets - - cluster_pre_check - - vault_utils diff --git a/common/ansible/playbooks/write-token-kubeconfig/write-token-kubeconfig.yml b/common/ansible/playbooks/write-token-kubeconfig/write-token-kubeconfig.yml deleted file mode 100644 index dcb23111..00000000 --- a/common/ansible/playbooks/write-token-kubeconfig/write-token-kubeconfig.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -- name: Test k8s authentication methods - hosts: localhost - connection: local - gather_facts: false - become: false - vars: - kubeconfig_file: '~/.kube/config' - k8s_host: '{{ lookup("env", "K8S_AUTH_HOST") }}' - k8s_validate_certs: '{{ lookup("env", "K8S_AUTH_VERIFY_SSL") | default(false) | bool }}' - k8s_username: '{{ lookup("env", "K8S_AUTH_USERNAME") | default("kubeconfig") }}' - k8s_password: '{{ lookup("env", "K8S_AUTH_PASSWORD") | default(omit) }}' - k8s_api_key: '{{ lookup("env", "K8S_AUTH_TOKEN") | default(omit) }}' - k8s_ca_cert_file: '{{ lookup("env", "K8S_AUTH_SSL_CA_CERT") | default(omit) }}' - tasks: - - name: Check for pre-existing kubeconfig - ansible.builtin.stat: - path: '{{ kubeconfig_file }}' - register: kubeconfig_stat - - - name: Exit if kubeconfig found - ansible.builtin.fail: - msg: '{{ kubeconfig_file }} already exists! Exiting' - when: kubeconfig_stat.stat.exists - - - name: Get namespaces to test parameters - kubernetes.core.k8s_info: - host: '{{ k8s_host }}' - validate_certs: '{{ k8s_validate_certs }}' - username: '{{ k8s_username }}' - api_key: '{{ k8s_api_key }}' - ca_cert: '{{ k8s_ca_cert_file | default(omit) }}' - kind: namespace - when: k8s_api_key - - - name: Login explicitly - when: not k8s_api_key - block: - - name: Login explicitly to get token - kubernetes.core.k8s_auth: - host: '{{ k8s_host }}' - validate_certs: '{{ k8s_validate_certs }}' - username: '{{ k8s_username }}' - password: '{{ k8s_password }}' - ca_cert: '{{ k8s_ca_cert_file | default(omit) }}' - register: auth - - - name: Set api_key - ansible.builtin.set_fact: - k8s_api_key: '{{ auth.openshift_auth.api_key }}' - - - name: Update username if needed - ansible.builtin.set_fact: - config_k8s_username: 'kube:admin' - when: k8s_username == 'kubeadmin' - - - name: Determine clustername - ansible.builtin.set_fact: - config_k8s_clustername: "{{ k8s_host | regex_replace('https://', '') | regex_replace('\\.', '-') }}" - - - name: Write config file - ansible.builtin.copy: - content: |- - apiVersion: v1 - clusters: - - cluster: - {% if k8s_validate_certs is false %} - insecure-skip-tls-verify: true - {% endif %} - {% if k8s_ca_cert_file -%} - certificate-authority-data: {{ lookup("file", k8s_ca_cert_file) | b64encode }} - {% endif %} - server: {{ k8s_host }} - name: {{ config_k8s_clustername }} - contexts: - - context: - cluster: {{ config_k8s_clustername }} - namespace: default - user: {{ config_k8s_username | default(k8s_username) }}/{{ config_k8s_clustername }} - name: default/{{ config_k8s_clustername }}/{{ config_k8s_username | default(k8s_username) }} - current-context: default/{{ config_k8s_clustername }}/{{ config_k8s_username | default(k8s_username) }} - kind: Config - preferences: {} - users: - - name: {{ config_k8s_username | default(k8s_username) }}/{{ config_k8s_clustername }} - user: - token: {{ k8s_api_key }} - dest: '{{ kubeconfig_file }}' - mode: '0640' - - - name: Notify user - ansible.builtin.debug: - msg: "Wrote {{ kubeconfig_file }}" diff --git a/common/ansible/plugins/__init__.py b/common/ansible/plugins/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/common/ansible/plugins/filter/parse_acm_secrets.py b/common/ansible/plugins/filter/parse_acm_secrets.py deleted file mode 100644 index 1c5148e3..00000000 --- a/common/ansible/plugins/filter/parse_acm_secrets.py +++ /dev/null @@ -1,84 +0,0 @@ -# This filter takes a bunch of acm secrets that represent the remote clusters -# (Usually it is all secrets that are labeled with: -# "apps.open-cluster-management.io/secret-type=acm-cluster") - -# These secrets are usually in the form of: -# data: -# config: ewogIC... -# name: bWNnLW9uZQ== -# server: aHR0cHM6Ly9hcGkubWNnLW9uZS5ibHVlcHJpbnRzLnJoZWNvZW5nLmNvbTo2NDQz - -# The filter parses the secret (name, server, config) and returns a dictionary of secrets in the -# following form: -# : -# name: -# cluster_fqdn: -# server_api: https://api.:6443 -# bearerToken: -# tlsClientConfig: -# vault_path: "hub" when it is the ACM hub or in the other cases - -import json -from base64 import b64decode - - -# These are the labels of an acm secret -# labels: -# apps.open-cluster-management.io/cluster-name: local-cluster -# apps.open-cluster-management.io/cluster-server: api.mcg-hub.blueprints.rhecoeng.com -# apps.open-cluster-management.io/secret-type: acm-cluster -def get_cluster_name(secret): - if "metadata" in secret and "labels" in secret["metadata"]: - return secret["metadata"]["labels"].get( - "apps.open-cluster-management.io/cluster-name", None - ) - return None - - -def is_cluster_a_hub(name): - if name == "local-cluster": - return True - return False - - -def get_cluster_fqdn(secret): - if "metadata" in secret and "labels" in secret["metadata"]: - server = secret["metadata"]["labels"].get( - "apps.open-cluster-management.io/cluster-server", None - ) - # It is rather hard to override this in an OCP deployment so we are - # okay in just dropping 'api.' - return server.removeprefix("api.") - return None - - -def parse_acm_secrets(secrets): - ret = {} - for secret in secrets: - cluster = get_cluster_name(secret) - if cluster is None: - continue - - ret[cluster] = {} - name = b64decode(secret["data"]["name"]) - ret[cluster]["name"] = name - ret[cluster]["server_api"] = b64decode(secret["data"]["server"]) - fqdn = get_cluster_fqdn(secret) - ret[cluster]["cluster_fqdn"] = fqdn - if is_cluster_a_hub(name): - ret[cluster]["vault_path"] = "hub" - else: - ret[cluster]["vault_path"] = fqdn - - config = b64decode(secret["data"]["config"]) - parsed_config = json.loads(config) - ret[cluster]["bearerToken"] = parsed_config["bearerToken"] - ret[cluster]["tlsClientConfig"] = parsed_config["tlsClientConfig"] - - return ret - - -class FilterModule: - - def filters(self): - return {"parse_acm_secrets": parse_acm_secrets} diff --git a/common/ansible/plugins/module_utils/load_secrets_common.py b/common/ansible/plugins/module_utils/load_secrets_common.py deleted file mode 100644 index b4ebc816..00000000 --- a/common/ansible/plugins/module_utils/load_secrets_common.py +++ /dev/null @@ -1,124 +0,0 @@ -# Copyright 2022 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Module that implements some common functions -""" - -import configparser -from collections.abc import MutableMapping - - -def find_dupes(array): - """ - Returns duplicate items in a list - - Parameters: - l(list): Array to check for duplicate entries - - Returns: - dupes(list): Array containing all the duplicates and [] is there are none - """ - seen = set() - dupes = [] - for x in array: - if x in seen: - dupes.append(x) - else: - seen.add(x) - return dupes - - -def get_version(syaml): - """ - Return the version: of the parsed yaml object. If it does not exist - return 1.0 - - Returns: - ret(str): The version value in of the top-level 'version:' key - """ - return str(syaml.get("version", "1.0")) - - -def flatten(dictionary, parent_key=False, separator="."): - """ - Turn a nested dictionary into a flattened dictionary and also - drop any key that has 'None' as their value - - Parameters: - dictionary(dict): The dictionary to flatten - - parent_key(str): The string to prepend to dictionary's keys - - separator(str): The string used to separate flattened keys - - Returns: - - dictionary: A flattened dictionary where the keys represent the - path to reach the leaves - """ - - items = [] - for key, value in dictionary.items(): - new_key = str(parent_key) + separator + key if parent_key else key - if isinstance(value, MutableMapping): - items.extend(flatten(value, new_key, separator).items()) - elif isinstance(value, list): - for k, v in enumerate(value): - items.extend(flatten({str(k): v}, new_key).items()) - else: - if value is not None: - items.append((new_key, value)) - return dict(items) - - -def get_ini_value(inifile, inisection, inikey): - """ - Return a value from an ini-file or 'None' if it does not exist - - Parameters: - inifile(str): The path to the ini-file - - inisection(str): The section in the ini-file to look for the key - - inikey(str): The key to look up inside the ini-file's section - - Returns: - - obj: The value of the key or None if it does not exist - """ - config = configparser.ConfigParser() - config.read(inifile) - return config.get(inisection, inikey, fallback=None) - - -def stringify_dict(input_dict): - """ - Return a dict whose keys and values are all co-erced to strings, for creating labels and annotations in the - python Kubernetes module - - Parameters: - input_dict(dict): A dictionary of keys and values - - Returns: - - obj: The same dict in the same order but with the keys coerced to str - """ - output_dict = {} - - for key, value in input_dict.items(): - output_dict[str(key)] = str(value) - - return output_dict diff --git a/common/ansible/plugins/module_utils/load_secrets_v1.py b/common/ansible/plugins/module_utils/load_secrets_v1.py deleted file mode 100644 index 8b89d85a..00000000 --- a/common/ansible/plugins/module_utils/load_secrets_v1.py +++ /dev/null @@ -1,268 +0,0 @@ -# Copyright 2022 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Module that implements V1 of the values-secret.yaml spec -""" - -import base64 -import os -import time - -import yaml -from ansible.module_utils.load_secrets_common import flatten, get_version - - -class LoadSecretsV1: - - def __init__( - self, - module, - syaml, - basepath, - namespace, - pod, - values_secret_template, - check_missing_secrets, - ): - self.module = module - self.basepath = basepath - self.namespace = namespace - self.pod = pod - self.values_secret_template = values_secret_template - self.check_missing_secrets = check_missing_secrets - self.syaml = syaml - - def _run_command(self, command, attempts=1, sleep=3): - """ - Runs a command on the host ansible is running on. A failing command - will raise an exception in this function directly (due to check=True) - - Parameters: - command(str): The command to be run. - attempts(int): Number of times to retry in case of Error (defaults to 1) - sleep(int): Number of seconds to wait in between retry attempts (defaults to 3s) - - Returns: - ret(subprocess.CompletedProcess): The return value from run() - """ - for attempt in range(attempts): - ret = self.module.run_command( - command, - check_rc=True, - use_unsafe_shell=True, - environ_update=os.environ.copy(), - ) - if ret[0] == 0: - return ret - if attempt >= attempts - 1: - return ret - time.sleep(sleep) - - def sanitize_values(self): - """ - Sanitizes the secrets YAML object. If a specific secret key has - s3.accessKey and s3.secretKey but not s3Secret, the latter will be - generated as the base64 encoding of both s3.accessKey and s3.secretKey. - - secrets: - test: - s3.accessKey: "1234" - s3.secretKey: "4321" - - will push three secrets at 'secret/hub/test': - - s3.accessKey: 1234 - s3.secretKey: 4321 - s3Secret: czMuYWNjZXNzS2V5OiAxMjM0CnMzLnNlY3JldEtleTogNDMyMQ== - - Parameters: - - Returns: - Nothing: Updates self.syaml(obj) - """ - v = get_version(self.syaml) - if v != "1.0": - self.module.fail_json(f"Version is not 1.0: {v}") - - if not ("secrets" in self.syaml or "files" in self.syaml): - self.module.fail_json( - f"Values secrets file does not contain 'secrets' or" - f"'files' keys: {self.syaml}" - ) - - if self.check_missing_secrets and self.values_secret_template == "": - self.module.fail_json( - "No values_secret_template defined and check_missing_secrets set to True" - ) - # If the user specified check_for_missing_secrets then we read values_secret_template - # and check if there are any missing secrets. Makes sense only for v1.0 - if self.check_missing_secrets: - self.check_for_missing_secrets() - - secrets = self.syaml.get("secrets", {}) - # We need to explicitely check for None because the file might contain the - # top-level 'secrets:' or 'files:' key but have nothing else under it which will - # return None and not {} - if secrets is None: - secrets = {} - files = self.syaml.get("files", {}) - if files is None: - files = {} - if len(secrets) == 0 and len(files) == 0: - self.module.fail_json( - "Neither 'secrets' nor 'files have any secrets to be parsed" - ) - - if isinstance(secrets, list) or isinstance(files, list): - self.module.fail_json("Neither 'secrets' nor 'files can be lists") - - for secret in secrets: - if not isinstance(secrets[secret], dict): - self.module.fail_json( - "Each key under 'secrets' needs to point to " - "a dictionary of key value pairs" - ) - - for file in files: - path = files[file] - if not os.path.isfile(os.path.expanduser(path)): - self.module.fail_json(f"File {path} does not exist") - - # If s3Secret key does not exist but s3.accessKey and s3.secretKey do exist - # generate s3Secret so a user does not need to do it manually which tends to be error-prone - for secret in secrets: - tmp = secrets[secret] - if ( - "s3.accessKey" in tmp - and "s3.secretKey" in tmp - and "s3Secret" not in tmp - ): - s3secret = ( - f"s3.accessKey: {tmp['s3.accessKey']}\n" - f"s3.secretKey: {tmp['s3.secretKey']}" - ) - s3secretb64 = base64.b64encode(s3secret.encode()) - secrets[secret]["s3Secret"] = s3secretb64.decode("utf-8") - - def get_secrets_vault_paths(self, keyname): - """ - Walks a secrets yaml object to look for all top-level keys that start with - 'keyname' and returns a list of tuples [(keyname1, path1), (keyname2, path2)...] - where the path is the relative vault path - For example, given a yaml with the following: - secrets: - foo: bar - secrets.region1: - foo: baz - secrets.region2: - foo: barbaz - - a call with keyname set to 'secrets' will return the following: - [('secrets', 'hub'), ('secrets', 'region1'), ('secrets', 'region2')] - - Parameters: - keyname(str): The keytypes to look for either usually 'secrets' or 'files' - - Returns: - keys_paths(list): List of tuples containing (keyname, relative-vault-path) - """ - all_keys = self.syaml.keys() - keys_paths = [] - for key in all_keys: - # We skip any key that does not start with 'secrets' or 'files' - # (We should probably bail out in the presence of unexpected top-level keys) - if not key.startswith(keyname): - continue - - # If there is no '.' after secrets or files, assume the secrets need to - # go to the hub vault path - if key == keyname: - keys_paths.append((key, "hub")) - continue - - # We are in the presence of either 'secrets.region-one' or 'files.cluster1' top-level keys - tmp = key.split(".", 1) - if len(tmp) != 2: - self.module.fail_json( - f"values-secrets.yaml key is non-conformant: {key}" - ) - - keys_paths.append((key, tmp[1])) - - return keys_paths - - # NOTE(bandini): we shell out to oc exec it because of - # https://github.com/ansible-collections/kubernetes.core/issues/506 and - # https://github.com/kubernetes/kubernetes/issues/89899. Until those are solved - # it makes little sense to invoke the APIs via the python wrappers - def inject_secrets(self): - """ - Walks a secrets yaml object and injects all the secrets into the vault via 'oc exec' calls - - Parameters: - - Returns: - counter(int): The number of secrets injected - """ - counter = 0 - for i in self.get_secrets_vault_paths("secrets"): - path = f"{self.basepath}/{i[1]}" - for secret in self.syaml[i[0]] or []: - properties = "" - for key, value in self.syaml[i[0]][secret].items(): - properties += f"{key}='{value}' " - properties = properties.rstrip() - cmd = ( - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f"\"vault kv put '{path}/{secret}' {properties}\"" - ) - self._run_command(cmd, attempts=3) - counter += 1 - - for i in self.get_secrets_vault_paths("files"): - path = f"{self.basepath}/{i[1]}" - for filekey in self.syaml[i[0]] or []: - file = os.path.expanduser(self.syaml[i[0]][filekey]) - cmd = ( - f"cat '{file}' | oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f"'cat - > /tmp/vcontent'; " - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c 'base64 --wrap=0 /tmp/vcontent | " - f"vault kv put {path}/{filekey} b64content=- content=@/tmp/vcontent; " - f"rm /tmp/vcontent'" - ) - self._run_command(cmd, attempts=3) - counter += 1 - return counter - - def check_for_missing_secrets(self): - with open(self.values_secret_template, "r", encoding="utf-8") as file: - template_yaml = yaml.safe_load(file.read()) - if template_yaml is None: - self.module.fail_json(f"Template {self.values_secret_template} is empty") - - syaml_flat = flatten(self.syaml) - template_flat = flatten(template_yaml) - - syaml_keys = set(syaml_flat.keys()) - template_keys = set(template_flat.keys()) - - if template_keys <= syaml_keys: - return - - diff = template_keys - syaml_keys - self.module.fail_json( - f"Values secret yaml is missing needed secrets from the templates: {diff}" - ) diff --git a/common/ansible/plugins/module_utils/load_secrets_v2.py b/common/ansible/plugins/module_utils/load_secrets_v2.py deleted file mode 100644 index 46cdcffa..00000000 --- a/common/ansible/plugins/module_utils/load_secrets_v2.py +++ /dev/null @@ -1,457 +0,0 @@ -# Copyright 2022 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Module that implements V2 of the values-secret.yaml spec -""" - -import base64 -import getpass -import os -import time - -from ansible.module_utils.load_secrets_common import ( - find_dupes, - get_ini_value, - get_version, -) - -default_vp_vault_policies = { - "validatedPatternDefaultPolicy": ( - "length=20\n" - 'rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\n' - 'rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\n' - 'rule "charset" { charset = "0123456789" min-chars = 1 }\n' - 'rule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' - ) -} - - -class LoadSecretsV2: - - def __init__(self, module, syaml, namespace, pod): - self.module = module - self.namespace = namespace - self.pod = pod - self.syaml = syaml - - def _run_command(self, command, attempts=1, sleep=3, checkrc=True): - """ - Runs a command on the host ansible is running on. A failing command - will raise an exception in this function directly (due to check=True) - - Parameters: - command(str): The command to be run. - attempts(int): Number of times to retry in case of Error (defaults to 1) - sleep(int): Number of seconds to wait in between retry attempts (defaults to 3s) - - Returns: - ret(subprocess.CompletedProcess): The return value from run() - """ - for attempt in range(attempts): - ret = self.module.run_command( - command, - check_rc=checkrc, - use_unsafe_shell=True, - environ_update=os.environ.copy(), - ) - if ret[0] == 0: - return ret - if attempt >= attempts - 1: - return ret - time.sleep(sleep) - - def _get_backingstore(self): - """ - Return the backingStore: of the parsed yaml object. If it does not exist - return 'vault' - - Returns: - ret(str): The value of the top-level 'backingStore:' key - """ - return str(self.syaml.get("backingStore", "vault")) - - def _get_vault_policies(self, enable_default_vp_policies=True): - # We start off with the hard-coded default VP policy and add the user-defined ones - if enable_default_vp_policies: - policies = default_vp_vault_policies.copy() - else: - policies = {} - policies.update(self.syaml.get("vaultPolicies", {})) - return policies - - def _get_secrets(self): - return self.syaml.get("secrets", {}) - - def _get_field_on_missing_value(self, f): - # By default if 'onMissingValue' is missing we assume we need to - # error out whenever the value is missing - return f.get("onMissingValue", "error") - - def _get_field_value(self, f): - return f.get("value", None) - - def _get_field_path(self, f): - return f.get("path", None) - - def _get_field_ini_file(self, f): - return f.get("ini_file", None) - - def _get_field_kind(self, f): - # value: null will be interpreted with None, so let's just - # check for the existence of the field, as we use 'value: null' to say - # "we want a value/secret and not a file path" - found = [] - for i in ["value", "path", "ini_file"]: - if i in f: - found.append(i) - - if len(found) > 1: # you can only have one of value, path and ini_file - self.module.fail_json(f"Both '{found[0]}' and '{found[1]}' cannot be used") - - if len(found) == 0: - return "" - return found[0] - - def _get_field_prompt(self, f): - return f.get("prompt", None) - - def _get_field_base64(self, f): - return bool(f.get("base64", False)) - - def _get_field_override(self, f): - return bool(f.get("override", False)) - - # This function could use some rewriting and it should call a specific validation function - # for each type (value, path, ini_file) - def _validate_field(self, f): - # These fields are mandatory - try: - _ = f["name"] - except KeyError: - return (False, f"Field {f} is missing name") - - on_missing_value = self._get_field_on_missing_value(f) - if on_missing_value not in ["error", "generate", "prompt"]: - return (False, f"onMissingValue: {on_missing_value} is invalid") - - value = self._get_field_value(f) - path = self._get_field_path(f) - ini_file = self._get_field_ini_file(f) - kind = self._get_field_kind(f) - if kind == "ini_file": - # if we are using ini_file then at least ini_key needs to be defined - # ini_section defaults to 'default' when omitted - ini_key = f.get("ini_key", None) - if ini_key is None: - return ( - False, - "ini_file requires at least ini_key to be defined", - ) - - # Test if base64 is a correct boolean (defaults to False) - _ = self._get_field_base64(f) - _ = self._get_field_override(f) - - vault_policy = f.get("vaultPolicy", None) - if vault_policy is not None and vault_policy not in self._get_vault_policies(): - return ( - False, - f"Secret has vaultPolicy set to {vault_policy} but no such policy exists", - ) - - if on_missing_value in ["error"]: - if ( - (value is None or len(value) < 1) - and (path is None or len(path) < 1) - and (ini_file is None or len(ini_file) < 1) - ): - return ( - False, - "Secret has onMissingValue set to 'error' and has neither value nor path nor ini_file set", - ) - if path is not None and not os.path.isfile(os.path.expanduser(path)): - return (False, f"Field has non-existing path: {path}") - - if ini_file is not None and not os.path.isfile( - os.path.expanduser(ini_file) - ): - return (False, f"Field has non-existing ini_file: {ini_file}") - - if "override" in f: - return ( - False, - "'override' attribute requires 'onMissingValue' to be set to 'generate'", - ) - - if on_missing_value in ["generate"]: - if value is not None: - return ( - False, - "Secret has onMissingValue set to 'generate' but has a value set", - ) - if path is not None: - return ( - False, - "Secret has onMissingValue set to 'generate' but has a path set", - ) - if vault_policy is None: - return ( - False, - "Secret has no vaultPolicy but onMissingValue is set to 'generate'", - ) - - if on_missing_value in ["prompt"]: - # When we prompt, the user needs to set one of the following: - # - value: null # prompt for a secret without a default value - # - value: 123 # prompt for a secret but use a default value - # - path: null # prompt for a file path without a default value - # - path: /tmp/ca.crt # prompt for a file path with a default value - if "value" not in f and "path" not in f: - return ( - False, - "Secret has onMissingValue set to 'prompt' but has no value nor path fields", - ) - - if "override" in f: - return ( - False, - "'override' attribute requires 'onMissingValue' to be set to 'generate'", - ) - - return (True, "") - - def _validate_secrets(self): - secrets = self._get_secrets() - if len(secrets) == 0: - self.module.fail_json("No secrets found") - - names = [] - for s in secrets: - # These fields are mandatory - for i in ["name"]: - try: - _ = s[i] - except KeyError: - return (False, f"Secret {s['name']} is missing {i}") - names.append(s["name"]) - - vault_prefixes = s.get("vaultPrefixes", ["hub"]) - # This checks for the case when vaultPrefixes: is specified but empty - if vault_prefixes is None or len(vault_prefixes) == 0: - return (False, f"Secret {s['name']} has empty vaultPrefixes") - - fields = s.get("fields", []) - if len(fields) == 0: - return (False, f"Secret {s['name']} does not have any fields") - - field_names = [] - for i in fields: - (ret, msg) = self._validate_field(i) - if not ret: - return (False, msg) - field_names.append(i["name"]) - field_dupes = find_dupes(field_names) - if len(field_dupes) > 0: - return (False, f"You cannot have duplicate field names: {field_dupes}") - - dupes = find_dupes(names) - if len(dupes) > 0: - return (False, f"You cannot have duplicate secret names: {dupes}") - return (True, "") - - def inject_vault_policies(self): - for name, policy in self._get_vault_policies().items(): - cmd = ( - f"echo '{policy}' | oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f"'cat - > /tmp/{name}.hcl';" - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c 'vault write sys/policies/password/{name} " - f" policy=@/tmp/{name}.hcl'" - ) - self._run_command(cmd, attempts=3) - - def sanitize_values(self): - """ - Sanitizes the secrets YAML object version 2.0 - - Parameters: - - Returns: - Nothing: Updates self.syaml(obj) if needed - """ - v = get_version(self.syaml) - if v != "2.0": - self.module.fail_json(f"Version is not 2.0: {v}") - - backing_store = self._get_backingstore() - if backing_store != "vault": # we currently only support vault - self.module.fail_json( - f"Currently only the 'vault' backingStore is supported: {backing_store}" - ) - - (ret, msg) = self._validate_secrets() - if not ret: - self.module.fail_json(msg) - - def _get_secret_value(self, name, field): - on_missing_value = self._get_field_on_missing_value(field) - # We cannot use match + case as RHEL8 has python 3.9 (it needs 3.10) - # We checked for errors in _validate_secrets() already - if on_missing_value == "error": - return field.get("value") - elif on_missing_value == "prompt": - prompt = self._get_field_prompt(field) - if prompt is None: - prompt = f"Type secret for {name}/{field['name']}: " - value = self._get_field_value(field) - if value is not None: - prompt += f" [{value}]" - prompt += ": " - return getpass.getpass(prompt) - return None - - def _get_file_path(self, name, field): - on_missing_value = self._get_field_on_missing_value(field) - if on_missing_value == "error": - return os.path.expanduser(field.get("path")) - elif on_missing_value == "prompt": - prompt = self._get_field_prompt(field) - path = self._get_field_path(field) - if path is None: - path = "" - - if prompt is None: - text = f"Type path for file {name}/{field['name']} [{path}]: " - else: - text = f"{prompt} [{path}]: " - - newpath = getpass.getpass(text) - if newpath == "": # Set the default if no string was entered - newpath = path - - if os.path.isfile(os.path.expanduser(newpath)): - return newpath - self.module.fail_json(f"File {newpath} not found, exiting") - - self.module.fail_json("File with wrong onMissingValue") - - def _vault_secret_attr_exists(self, mount, prefix, secret_name, attribute): - cmd = ( - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f'"vault kv get -mount={mount} -field={attribute} {prefix}/{secret_name}"' - ) - # we ignore stdout and stderr - (ret, _, _) = self._run_command(cmd, attempts=1, checkrc=False) - if ret == 0: - return True - - return False - - def _inject_field(self, secret_name, f, mount, prefixes, first=False): - on_missing_value = self._get_field_on_missing_value(f) - override = self._get_field_override(f) - kind = self._get_field_kind(f) - # If we're generating the password then we just push the secret in the vault directly - verb = "put" if first else "patch" - b64 = self._get_field_base64(f) - if kind in ["value", ""]: - if on_missing_value == "generate": - if kind == "path": - self.module.fail_json( - "You cannot have onMissingValue set to 'generate' with a path" - ) - vault_policy = f.get("vaultPolicy") - gen_cmd = f"vault read -field=password sys/policies/password/{vault_policy}/generate" - if b64: - gen_cmd += " | base64 --wrap=0" - for prefix in prefixes: - # if the override field is False and the secret attribute exists at the prefix then we just - # skip, as we do not want to overwrite the existing secret - if not override and self._vault_secret_attr_exists( - mount, prefix, secret_name, f["name"] - ): - continue - cmd = ( - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f"\"{gen_cmd} | vault kv {verb} -mount={mount} {prefix}/{secret_name} {f['name']}=-\"" - ) - self._run_command(cmd, attempts=3) - return - - # If we're not generating the secret inside the vault directly we either read it from the file ("error") - # or we are prompting the user for it - secret = self._get_secret_value(secret_name, f) - if b64: - secret = base64.b64encode(secret.encode()).decode("utf-8") - for prefix in prefixes: - cmd = ( - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f"\"vault kv {verb} -mount={mount} {prefix}/{secret_name} {f['name']}='{secret}'\"" - ) - self._run_command(cmd, attempts=3) - - elif kind == "path": # path. we upload files - # If we're generating the password then we just push the secret in the vault directly - verb = "put" if first else "patch" - path = self._get_file_path(secret_name, f) - for prefix in prefixes: - if b64: - b64_cmd = "| base64 --wrap=0 " - else: - b64_cmd = "" - cmd = ( - f"cat '{path}' | oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f"'cat - {b64_cmd}> /tmp/vcontent'; " - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c '" - f"vault kv {verb} -mount={mount} {prefix}/{secret_name} {f['name']}=@/tmp/vcontent; " - f"rm /tmp/vcontent'" - ) - self._run_command(cmd, attempts=3) - elif kind == "ini_file": # ini_file. we parse an ini_file - verb = "put" if first else "patch" - ini_file = os.path.expanduser(f.get("ini_file")) - ini_section = f.get("ini_section", "default") - ini_key = f.get("ini_key") - secret = get_ini_value(ini_file, ini_section, ini_key) - if b64: - secret = base64.b64encode(secret.encode()).decode("utf-8") - for prefix in prefixes: - cmd = ( - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f"\"vault kv {verb} -mount={mount} {prefix}/{secret_name} {f['name']}='{secret}'\"" - ) - self._run_command(cmd, attempts=3) - - # This assumes that self.sanitize_values() has already been called - # so we do a lot less validation as it has already happened - def inject_secrets(self): - # This must come first as some passwords might depend on vault policies to exist. - # It is a noop when no policies are defined - self.inject_vault_policies() - secrets = self._get_secrets() - - total_secrets = 0 # Counter for all the secrets uploaded - for s in secrets: - counter = 0 # This counter is to use kv put on first secret and kv patch on latter - sname = s.get("name") - fields = s.get("fields", []) - mount = s.get("vaultMount", "secret") - vault_prefixes = s.get("vaultPrefixes", ["hub"]) - for i in fields: - self._inject_field(sname, i, mount, vault_prefixes, counter == 0) - counter += 1 - total_secrets += 1 - - return total_secrets diff --git a/common/ansible/plugins/module_utils/parse_secrets_v2.py b/common/ansible/plugins/module_utils/parse_secrets_v2.py deleted file mode 100644 index f88579b6..00000000 --- a/common/ansible/plugins/module_utils/parse_secrets_v2.py +++ /dev/null @@ -1,528 +0,0 @@ -# Copyright 2022, 2023 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Module that implements V2 of the values-secret.yaml spec -""" - -import base64 -import getpass -import os - -from ansible.module_utils.load_secrets_common import ( - find_dupes, - get_ini_value, - get_version, - stringify_dict, -) - -default_vp_vault_policies = { - "validatedPatternDefaultPolicy": ( - "length=20\n" - 'rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\n' - 'rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\n' - 'rule "charset" { charset = "0123456789" min-chars = 1 }\n' - 'rule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' - ) -} - -secret_store_namespace = "validated-patterns-secrets" - - -class ParseSecretsV2: - - def __init__(self, module, syaml, secrets_backing_store): - self.module = module - self.syaml = syaml - self.secrets_backing_store = str(secrets_backing_store) - self.secret_store_namespace = None - self.parsed_secrets = {} - self.kubernetes_secret_objects = [] - self.vault_policies = {} - - def _get_backingstore(self): - """ - Backing store is now influenced by the caller more than the file. Setting - Return the backingStore: of the parsed yaml object. In most cases the file - key was not set anyway - since vault was the only supported option. Since - we are introducing new options now, this method of defining behavior is - deprecated, but if the file key is included it must match the option defined - by values-global in the pattern, or there is an error. The default remains - 'vault' if the key is unspecified. - - Returns: - ret(str): The value of the top-level 'backingStore:' key - """ - file_backing_store = str(self.syaml.get("backingStore", "unset")) - - if file_backing_store == "unset": - pass - else: - if file_backing_store != self.secrets_backing_store: - self.module.fail_json( - f"Secrets file specifies '{file_backing_store}' backend but pattern config " - f"specifies '{self.secrets_backing_store}'." - ) - - return self.secrets_backing_store - - def _get_vault_policies(self, enable_default_vp_policies=True): - # We start off with the hard-coded default VP policy and add the user-defined ones - if enable_default_vp_policies: - policies = default_vp_vault_policies.copy() - else: - policies = {} - - # This is useful for embedded newlines, which occur with YAML - # flow-type scalars (|, |- for example) - for name, policy in self.syaml.get("vaultPolicies", {}).items(): - policies[name] = self._sanitize_yaml_value(policy) - - return policies - - def _get_secrets(self): - return self.syaml.get("secrets", {}) - - def _get_field_on_missing_value(self, f): - # By default if 'onMissingValue' is missing we assume we need to - # error out whenever the value is missing - return f.get("onMissingValue", "error") - - def _get_field_value(self, f): - return f.get("value", None) - - def _get_field_path(self, f): - return f.get("path", None) - - def _get_field_ini_file(self, f): - return f.get("ini_file", None) - - def _get_field_annotations(self, f): - return f.get("annotations", {}) - - def _get_field_labels(self, f): - return f.get("labels", {}) - - def _get_field_kind(self, f): - # value: null will be interpreted with None, so let's just - # check for the existence of the field, as we use 'value: null' to say - # "we want a value/secret and not a file path" - found = [] - for i in ["value", "path", "ini_file"]: - if i in f: - found.append(i) - - if len(found) > 1: # you can only have one of value, path and ini_file - self.module.fail_json( - f"Both '{found[0]}' and '{found[1]}' cannot be used " - f"in field {f['name']}" - ) - - if len(found) == 0: - return "" - return found[0] - - def _get_field_prompt(self, f): - return f.get("prompt", None) - - def _get_field_base64(self, f): - return bool(f.get("base64", False)) - - def _get_field_override(self, f): - return bool(f.get("override", False)) - - def _get_secret_store_namespace(self): - return str(self.syaml.get("secretStoreNamespace", secret_store_namespace)) - - def _get_vault_prefixes(self, s): - return list(s.get("vaultPrefixes", ["hub"])) - - def _get_default_labels(self): - return self.syaml.get("defaultLabels", {}) - - def _get_default_annotations(self): - return self.syaml.get("defaultAnnotations", {}) - - def _append_kubernetes_secret(self, secret_obj): - self.kubernetes_secret_objects.append(secret_obj) - - def _sanitize_yaml_value(self, value): - # This is useful for embedded newlines, which occur with YAML - # flow-type scalars (|, |- for example) - if value is not None: - sanitized_value = bytes(value, "utf-8").decode("unicode_escape") - else: - sanitized_value = None - - return sanitized_value - - def _create_k8s_secret(self, sname, secret_type, namespace, labels, annotations): - return { - "type": secret_type, - "kind": "Secret", - "apiVersion": "v1", - "metadata": { - "name": sname, - "namespace": namespace, - "annotations": annotations, - "labels": labels, - }, - "stringData": {}, - } - - # This does what inject_secrets used to (mostly) - def parse(self): - self.sanitize_values() - self.vault_policies = self._get_vault_policies() - self.secret_store_namespace = self._get_secret_store_namespace() - backing_store = self._get_backingstore() - secrets = self._get_secrets() - - total_secrets = 0 # Counter for all the secrets uploaded - for s in secrets: - total_secrets += 1 - counter = 0 # This counter is to use kv put on first secret and kv patch on latter - sname = s.get("name") - fields = s.get("fields", []) - vault_prefixes = self._get_vault_prefixes(s) - secret_type = s.get("type", "Opaque") - vault_mount = s.get("vaultMount", "secret") - target_namespaces = s.get("targetNamespaces", []) - labels = stringify_dict(s.get("labels", self._get_default_labels())) - annotations = stringify_dict( - s.get("annotations", self._get_default_annotations()) - ) - - self.parsed_secrets[sname] = { - "name": sname, - "fields": {}, - "vault_mount": vault_mount, - "vault_policies": {}, - "vault_prefixes": vault_prefixes, - "override": [], - "generate": [], - "paths": {}, - "base64": [], - "ini_file": {}, - "type": secret_type, - "target_namespaces": target_namespaces, - "labels": labels, - "annotations": annotations, - } - - for i in fields: - self._inject_field(sname, i) - counter += 1 - - if backing_store == "kubernetes": - k8s_namespaces = [self._get_secret_store_namespace()] - else: - k8s_namespaces = target_namespaces - - for tns in k8s_namespaces: - k8s_secret = self._create_k8s_secret( - sname, secret_type, tns, labels, annotations - ) - k8s_secret["stringData"] = self.parsed_secrets[sname]["fields"] - self.kubernetes_secret_objects.append(k8s_secret) - - return total_secrets - - # This function could use some rewriting and it should call a specific validation function - # for each type (value, path, ini_file) - def _validate_field(self, f): - # These fields are mandatory - try: - _ = f["name"] - except KeyError: - return (False, f"Field {f} is missing name") - - on_missing_value = self._get_field_on_missing_value(f) - if on_missing_value not in ["error", "generate", "prompt"]: - return (False, f"onMissingValue: {on_missing_value} is invalid") - - value = self._get_field_value(f) - path = self._get_field_path(f) - ini_file = self._get_field_ini_file(f) - kind = self._get_field_kind(f) - if kind == "ini_file": - # if we are using ini_file then at least ini_key needs to be defined - # ini_section defaults to 'default' when omitted - ini_key = f.get("ini_key", None) - if ini_key is None: - return ( - False, - "ini_file requires at least ini_key to be defined", - ) - - # Test if base64 is a correct boolean (defaults to False) - _ = self._get_field_base64(f) - _ = self._get_field_override(f) - - vault_policy = f.get("vaultPolicy", None) - if vault_policy is not None and vault_policy not in self._get_vault_policies(): - return ( - False, - f"Secret has vaultPolicy set to {vault_policy} but no such policy exists", - ) - - if on_missing_value in ["error"]: - if ( - (value is None or len(value) < 1) - and (path is None or len(path) < 1) - and (ini_file is None or len(ini_file) < 1) - ): - return ( - False, - "Secret has onMissingValue set to 'error' and has neither value nor path nor ini_file set", - ) - if path is not None and not os.path.isfile(os.path.expanduser(path)): - return (False, f"Field has non-existing path: {path}") - - if ini_file is not None and not os.path.isfile( - os.path.expanduser(ini_file) - ): - return (False, f"Field has non-existing ini_file: {ini_file}") - - if on_missing_value in ["prompt"]: - # When we prompt, the user needs to set one of the following: - # - value: null # prompt for a secret without a default value - # - value: 123 # prompt for a secret but use a default value - # - path: null # prompt for a file path without a default value - # - path: /tmp/ca.crt # prompt for a file path with a default value - if "value" not in f and "path" not in f: - return ( - False, - "Secret has onMissingValue set to 'prompt' but has no value nor path fields", - ) - - if "override" in f: - return ( - False, - "'override' attribute requires 'onMissingValue' to be set to 'generate'", - ) - - return (True, "") - - def _validate_secrets(self): - backing_store = self._get_backingstore() - secrets = self._get_secrets() - if len(secrets) == 0: - self.module.fail_json("No secrets found") - - names = [] - for s in secrets: - # These fields are mandatory - for i in ["name"]: - try: - _ = s[i] - except KeyError: - return (False, f"Secret {s['name']} is missing {i}") - names.append(s["name"]) - - vault_prefixes = s.get("vaultPrefixes", ["hub"]) - # This checks for the case when vaultPrefixes: is specified but empty - if vault_prefixes is None or len(vault_prefixes) == 0: - return (False, f"Secret {s['name']} has empty vaultPrefixes") - - namespaces = s.get("targetNamespaces", []) - if not isinstance(namespaces, list): - return (False, f"Secret {s['name']} targetNamespaces must be a list") - - if backing_store == "none" and namespaces == []: - return ( - False, - f"Secret {s['name']} targetNamespaces cannot be empty for secrets backend {backing_store}", - ) # noqa: E501 - - labels = s.get("labels", {}) - if not isinstance(labels, dict): - return (False, f"Secret {s['name']} labels must be a dictionary") - - annotations = s.get("annotations", {}) - if not isinstance(annotations, dict): - return (False, f"Secret {s['name']} annotations must be a dictionary") - - fields = s.get("fields", []) - if len(fields) == 0: - return (False, f"Secret {s['name']} does not have any fields") - - field_names = [] - for i in fields: - (ret, msg) = self._validate_field(i) - if not ret: - return (False, msg) - field_names.append(i["name"]) - field_dupes = find_dupes(field_names) - if len(field_dupes) > 0: - return (False, f"You cannot have duplicate field names: {field_dupes}") - - dupes = find_dupes(names) - if len(dupes) > 0: - return (False, f"You cannot have duplicate secret names: {dupes}") - return (True, "") - - def sanitize_values(self): - """ - Sanitizes the secrets YAML object version 2.0 - - Parameters: - - Returns: - Nothing: Updates self.syaml(obj) if needed - """ - v = get_version(self.syaml) - if v not in ["2.0"]: - self.module.fail_json(f"Version is not 2.0: {v}") - - backing_store = self._get_backingstore() - if backing_store not in [ - "kubernetes", - "vault", - "none", - ]: # we currently only support vault - self.module.fail_json( - f"Currently only the 'vault', 'kubernetes' and 'none' backingStores are supported: {backing_store}" - ) - - (ret, msg) = self._validate_secrets() - if not ret: - self.module.fail_json(msg) - - def _get_secret_value(self, name, field): - on_missing_value = self._get_field_on_missing_value(field) - # We cannot use match + case as RHEL8 has python 3.9 (it needs 3.10) - # We checked for errors in _validate_secrets() already - if on_missing_value == "error": - return self._sanitize_yaml_value(field.get("value")) - elif on_missing_value == "prompt": - prompt = self._get_field_prompt(field) - if prompt is None: - prompt = f"Type secret for {name}/{field['name']}: " - value = self._get_field_value(field) - if value is not None: - prompt += f" [{value}]" - prompt += ": " - return getpass.getpass(prompt) - return None - - def _get_file_path(self, name, field): - on_missing_value = self._get_field_on_missing_value(field) - if on_missing_value == "error": - return os.path.expanduser(field.get("path")) - elif on_missing_value == "prompt": - prompt = self._get_field_prompt(field) - path = self._get_field_path(field) - if path is None: - path = "" - - if prompt is None: - text = f"Type path for file {name}/{field['name']} [{path}]: " - else: - text = f"{prompt} [{path}]: " - - newpath = getpass.getpass(text) - if newpath == "": # Set the default if no string was entered - newpath = path - - if os.path.isfile(os.path.expanduser(newpath)): - return newpath - self.module.fail_json(f"File {newpath} not found, exiting") - - self.module.fail_json("File with wrong onMissingValue") - - def _inject_field(self, secret_name, f): - on_missing_value = self._get_field_on_missing_value(f) - override = self._get_field_override(f) - kind = self._get_field_kind(f) - b64 = self._get_field_base64(f) - - if kind in ["value", ""]: - if on_missing_value == "generate": - self.parsed_secrets[secret_name]["generate"].append(f["name"]) - if self._get_backingstore() != "vault": - self.module.fail_json( - "You cannot have onMissingValue set to 'generate' unless using vault backingstore " - f"for secret {secret_name} field {f['name']}" - ) - else: - if kind in ["path", "ini_file"]: - self.module.fail_json( - "You cannot have onMissingValue set to 'generate' with a path or ini_file" - f" for secret {secret_name} field {f['name']}" - ) - - vault_policy = f.get("vaultPolicy", "validatedPatternDefaultPolicy") - - if override: - self.parsed_secrets[secret_name]["override"].append(f["name"]) - - if b64: - self.parsed_secrets[secret_name]["base64"].append(f["name"]) - - self.parsed_secrets[secret_name]["fields"][f["name"]] = None - self.parsed_secrets[secret_name]["vault_policies"][ - f["name"] - ] = vault_policy - - return - - # If we're not generating the secret inside the vault directly we either read it from the file ("error") - # or we are prompting the user for it - secret = self._get_secret_value(secret_name, f) - if b64: - secret = base64.b64encode(secret.encode()).decode("utf-8") - self.parsed_secrets[secret_name]["base64"].append(f["name"]) - - self.parsed_secrets[secret_name]["fields"][f["name"]] = secret - - elif kind == "path": # path. we upload files - path = self._get_file_path(secret_name, f) - self.parsed_secrets[secret_name]["paths"][f["name"]] = path - - binfile = False - - # Default to UTF-8 - try: - secret = open(path, encoding="utf-8").read() - except UnicodeDecodeError: - secret = open(path, "rb").read() - binfile = True - - if b64: - self.parsed_secrets[secret_name]["base64"].append(f["name"]) - if binfile: - secret = base64.b64encode(bytes(secret)).decode("utf-8") - else: - secret = base64.b64encode(secret.encode()).decode("utf-8") - - self.parsed_secrets[secret_name]["fields"][f["name"]] = secret - elif kind == "ini_file": # ini_file. we parse an ini_file - ini_file = os.path.expanduser(f.get("ini_file")) - ini_section = f.get("ini_section", "default") - ini_key = f.get("ini_key") - secret = get_ini_value(ini_file, ini_section, ini_key) - if b64: - self.parsed_secrets[secret_name]["base64"].append(f["name"]) - secret = base64.b64encode(secret.encode()).decode("utf-8") - - self.parsed_secrets[secret_name]["ini_file"][f["name"]] = { - "ini_file": ini_file, - "ini_section": ini_section, - "ini_key": ini_key, - } - self.parsed_secrets[secret_name]["fields"][f["name"]] = secret - - return diff --git a/common/ansible/plugins/modules/parse_secrets_info.py b/common/ansible/plugins/modules/parse_secrets_info.py deleted file mode 100644 index b962271a..00000000 --- a/common/ansible/plugins/modules/parse_secrets_info.py +++ /dev/null @@ -1,149 +0,0 @@ -# Copyright 2022,2023 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Ansible plugin module that loads secrets from a yaml file and pushes them -inside the HashiCorp Vault in an OCP cluster. The values-secrets.yaml file is -expected to be in the following format: ---- -# version is optional. When not specified it is assumed it is 1.0 -version: 1.0 - -# These secrets will be pushed in the vault at secret/hub/test The vault will -# have secret/hub/test with secret1 and secret2 as keys with their associated -# values (secrets) -secrets: - test: - secret1: foo - secret2: bar - -# This will create the vault key secret/hub/testfoo which will have two -# properties 'b64content' and 'content' which will be the base64-encoded -# content and the normal content respectively -files: - testfoo: ~/ca.crt - -# These secrets will be pushed in the vault at secret/region1/test The vault will -# have secret/region1/test with secret1 and secret2 as keys with their associated -# values (secrets) -secrets.region1: - test: - secret1: foo1 - secret2: bar1 - -# This will create the vault key secret/region2/testbar which will have two -# properties 'b64content' and 'content' which will be the base64-encoded -# content and the normal content respectively -files.region2: - testbar: ~/ca.crt -""" - -import yaml -from ansible.module_utils.basic import AnsibleModule -from ansible.module_utils.parse_secrets_v2 import ParseSecretsV2 - -ANSIBLE_METADATA = { - "metadata_version": "1.2", - "status": ["preview"], - "supported_by": "community", -} - -DOCUMENTATION = """ ---- -module: parse_secrets_info -short_description: Parses a Validated Patterns Secrets file for later loading -version_added: "2.50" -author: "Martin Jackson" -description: - - Takes a values-secret.yaml file, parses and returns values for secrets loading. The goal here is to do all the - work of reading and interpreting the file and resolving the content pointers (that is, creating content where it - is given) such that that content is then available for secrets vaults to load. It does not attempt to load the - content or interpret the content beyond the conventions of the file format. (So, it knows how to retrieve - ini-keys, about paths, and about base64 but leaves interaction with backends to backend-specific code. -options: - values_secrets_plaintext: - description: - - The unencrypted content of the values-secrets file - required: true - type: str - secrets_backing_store: - description: - - The secrets backing store that will be used for parsed secrets (i.e. vault, kubernetes, none) - required: false - default: vault - type: str -""" - -RETURN = """ -""" - -EXAMPLES = """ -- name: Parse secrets file into objects - backingstore defaults to vault - parse_secrets_info: - values_secrets_plaintext: '{{ }}' - register: secrets_info - -- name: Parse secrets file into data structures - parse_secrets_info: - values_secrets_plaintext: '{{ }}' - secrets_backing_store: 'kubernetes' - register: secrets_info - -- name: Parse secrets file into data structures - parse_secrets_info: - values_secrets_plaintext: '{{ }}' - secrets_backing_store: 'none' - register: secrets_info -""" - - -def run(module): - """Main ansible module entry point""" - results = dict(changed=False) - - args = module.params - values_secrets_plaintext = args.get("values_secrets_plaintext", "") - secrets_backing_store = args.get("secrets_backing_store", "vault") - - syaml = yaml.safe_load(values_secrets_plaintext) - - if syaml is None: - syaml = {} - - parsed_secret_obj = ParseSecretsV2(module, syaml, secrets_backing_store) - parsed_secret_obj.parse() - - results["failed"] = False - results["changed"] = False - - results["vault_policies"] = parsed_secret_obj.vault_policies - results["parsed_secrets"] = parsed_secret_obj.parsed_secrets - results["kubernetes_secret_objects"] = parsed_secret_obj.kubernetes_secret_objects - results["secret_store_namespace"] = parsed_secret_obj.secret_store_namespace - - module.exit_json(**results) - - -def main(): - """Main entry point where the AnsibleModule class is instantiated""" - module = AnsibleModule( - argument_spec=yaml.safe_load(DOCUMENTATION)["options"], - supports_check_mode=True, - ) - run(module) - - -if __name__ == "__main__": - main() diff --git a/common/ansible/plugins/modules/vault_load_parsed_secrets.py b/common/ansible/plugins/modules/vault_load_parsed_secrets.py deleted file mode 100644 index f5acdc86..00000000 --- a/common/ansible/plugins/modules/vault_load_parsed_secrets.py +++ /dev/null @@ -1,303 +0,0 @@ -# Copyright 2022 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Ansible plugin module that loads secrets and policies once parsed and pushes them -into a HashiCorp Vault in an OCP cluster. The values-secrets.yaml file is -expected to be in the following format: ---- -# version is optional. When not specified it is assumed it is 2.0 -version: 2.0 - -""" - -import os -import time - -import yaml -from ansible.module_utils.basic import AnsibleModule - -ANSIBLE_METADATA = { - "metadata_version": "1.1", - "status": ["preview"], - "supported_by": "community", -} - -DOCUMENTATION = """ ---- -module: vault_load_parsed_secrets -short_description: Loads secrets into the HashiCorp Vault -version_added: "2.50" -author: "Martin Jackson" -description: - - Takes parsed secrets objects and vault policies (as delivered by parse_secrets_info) and runs the commands to - load them into a vault instance. The relevent metadata will exist in the parsed secrets object. Returns count - of secrets injected. -options: - parsed_secrets: - description: - - A structure containing the secrets, fields, and their metadata - required: true - type: dict - vault_policies: - description: - - Vault policies to inject into the instance. - required: true - type: dict - namespace: - description: - - Namespace where the vault is running - required: false - type: str - default: vault - pod: - description: - - Name of the vault pod to use to inject secrets - required: false - type: str - default: vault-0 -""" - -RETURN = """ -""" - -EXAMPLES = """ -- name: Loads secrets file into the vault of a cluster - vault_load_parsed_secrets: - parsed_secrets: "{{ parsed_secrets_structure_from_parse_secrets_info }}" - vault_policies: "{{ parsed_vault_policies_structure_from_parse_secrets_info }}" -""" - - -class VaultSecretLoader: - - def __init__( - self, - module, - parsed_secrets, - vault_policies, - namespace, - pod, - ): - self.module = module - self.parsed_secrets = parsed_secrets - self.vault_policies = vault_policies - self.namespace = namespace - self.pod = pod - - def _run_command(self, command, attempts=1, sleep=3, checkrc=True): - """ - Runs a command on the host ansible is running on. A failing command - will raise an exception in this function directly (due to check=True) - - Parameters: - command(str): The command to be run. - attempts(int): Number of times to retry in case of Error (defaults to 1) - sleep(int): Number of seconds to wait in between retry attempts (defaults to 3s) - - Returns: - ret(subprocess.CompletedProcess): The return value from run() - """ - for attempt in range(attempts): - ret = self.module.run_command( - command, - check_rc=checkrc, - use_unsafe_shell=True, - environ_update=os.environ.copy(), - ) - if ret[0] == 0: - return ret - if attempt >= attempts - 1: - return ret - time.sleep(sleep) - - def _vault_secret_attr_exists(self, mount, prefix, secret_name, attribute): - cmd = ( - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f'"vault kv get -mount={mount} -field={attribute} {prefix}/{secret_name}"' - ) - # we ignore stdout and stderr - (ret, _, _) = self._run_command(cmd, attempts=1, checkrc=False) - if ret == 0: - return True - - return False - - def load_vault(self): - injected_secret_count = 0 - - self.inject_vault_policies() - - for secret_name, secret in self.parsed_secrets.items(): - self.inject_secret(secret_name, secret) - injected_secret_count += 1 - - return injected_secret_count - - def inject_field( - self, - secret_name, - soverride, - sbase64, - sgenerate, - spaths, - svault_policies, - fieldname, - fieldvalue, - mount, - vault_prefixes, - first=False, - ): - # Special cases: - # generate w|wo override - # path (w|wo b64) - # - # inifile secrets will be resolved by parser - # values (including base64'd ones) will be resolved by parser - # And we just ignore k8s or other fields - - override = True if fieldname in soverride else False - b64 = True if fieldname in sbase64 else False - generate = True if fieldname in sgenerate else False - path = spaths.get(fieldname, False) - prefixes = vault_prefixes - verb = "put" if first else "patch" - policy = svault_policies.get(fieldname, False) - - # "generate" secrets are created with policies and may be overridden or not - if generate: - gen_cmd = ( - f"vault read -field=password sys/policies/password/{policy}/generate" - ) - if b64: - gen_cmd += " | base64 --wrap=0" - for prefix in prefixes: - # if the override field is False and the secret attribute exists at the prefix then we just - # skip, as we do not want to overwrite the existing secret - if not override and self._vault_secret_attr_exists( - mount, prefix, secret_name, fieldname - ): - continue - cmd = ( - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f'"{gen_cmd} | vault kv {verb} -mount={mount} {prefix}/{secret_name} {fieldname}=-"' - ) - self._run_command(cmd, attempts=3) - return - - if path: - for prefix in prefixes: - if b64: - b64_cmd = "| base64 --wrap=0" - else: - b64_cmd = "" - cmd = ( - f"cat '{path}' | oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f"'cat - {b64_cmd}> /tmp/vcontent'; " - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c '" - f"vault kv {verb} -mount={mount} {prefix}/{secret_name} {fieldname}=@/tmp/vcontent; " - f"rm /tmp/vcontent'" - ) - self._run_command(cmd, attempts=3) - return - - for prefix in prefixes: - cmd = ( - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f"\"vault kv {verb} -mount={mount} {prefix}/{secret_name} {fieldname}='\"'{fieldvalue}'\"'\"" - ) - self._run_command(cmd, attempts=3) - return - - def inject_secret(self, secret_name, secret): - mount = secret.get("vault_mount", "secret") - vault_prefixes = secret.get("vault_prefixes", ["hub"]) - - counter = 0 - # In this structure, each field will have one value - for fname, fvalue in secret.get("fields").items(): - self.inject_field( - secret_name=secret_name, - soverride=secret["override"], - sbase64=secret["base64"], - sgenerate=secret["generate"], - spaths=secret["paths"], - svault_policies=secret["vault_policies"], - fieldname=fname, - fieldvalue=fvalue, - mount=mount, - vault_prefixes=vault_prefixes, - first=counter == 0, - ) - counter += 1 - return - - def inject_vault_policies(self): - for name, policy in self.vault_policies.items(): - cmd = ( - f"echo '{policy}' | oc exec -n {self.namespace} {self.pod} -i -- sh -c " - f"'cat - > /tmp/{name}.hcl';" - f"oc exec -n {self.namespace} {self.pod} -i -- sh -c 'vault write sys/policies/password/{name} " - f" policy=@/tmp/{name}.hcl'" - ) - self._run_command(cmd, attempts=3) - - -def run(module): - """Main ansible module entry point""" - results = dict(changed=False) - - args = module.params - - vault_policies = args.get("vault_policies", {}) - parsed_secrets = args.get("parsed_secrets", {}) - namespace = args.get("namespace", "vault") - pod = args.get("pod", "vault-0") - - if vault_policies == {}: - results["failed"] = True - module.fail_json("Must pass vault_policies") - - if parsed_secrets == {}: - results["failed"] = True - module.fail_json("Must pass parsed_secrets") - - loader = VaultSecretLoader( - module, - parsed_secrets, - vault_policies, - namespace, - pod, - ) - - nr_secrets = loader.load_vault() - - results["failed"] = False - results["changed"] = True - results["msg"] = f"{nr_secrets} secrets injected" - module.exit_json(**results) - - -def main(): - """Main entry point where the AnsibleModule class is instantiated""" - module = AnsibleModule( - argument_spec=yaml.safe_load(DOCUMENTATION)["options"], - supports_check_mode=False, - ) - run(module) - - -if __name__ == "__main__": - main() diff --git a/common/ansible/plugins/modules/vault_load_secrets.py b/common/ansible/plugins/modules/vault_load_secrets.py deleted file mode 100644 index 725b69b4..00000000 --- a/common/ansible/plugins/modules/vault_load_secrets.py +++ /dev/null @@ -1,209 +0,0 @@ -# Copyright 2022 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Ansible plugin module that loads secrets from a yaml file and pushes them -inside the HashiCorp Vault in an OCP cluster. The values-secrets.yaml file is -expected to be in the following format: ---- -# version is optional. When not specified it is assumed it is 1.0 -version: 1.0 - -# These secrets will be pushed in the vault at secret/hub/test The vault will -# have secret/hub/test with secret1 and secret2 as keys with their associated -# values (secrets) -secrets: - test: - secret1: foo - secret2: bar - -# This will create the vault key secret/hub/testfoo which will have two -# properties 'b64content' and 'content' which will be the base64-encoded -# content and the normal content respectively -files: - testfoo: ~/ca.crt - -# These secrets will be pushed in the vault at secret/region1/test The vault will -# have secret/region1/test with secret1 and secret2 as keys with their associated -# values (secrets) -secrets.region1: - test: - secret1: foo1 - secret2: bar1 - -# This will create the vault key secret/region2/testbar which will have two -# properties 'b64content' and 'content' which will be the base64-encoded -# content and the normal content respectively -files.region2: - testbar: ~/ca.crt -""" - -import os - -import yaml -from ansible.module_utils.basic import AnsibleModule -from ansible.module_utils.load_secrets_common import get_version -from ansible.module_utils.load_secrets_v1 import LoadSecretsV1 -from ansible.module_utils.load_secrets_v2 import LoadSecretsV2 - -ANSIBLE_METADATA = { - "metadata_version": "1.1", - "status": ["preview"], - "supported_by": "community", -} - -DOCUMENTATION = """ ---- -module: vault_load_secrets -short_description: Loads secrets into the HashiCorp Vault -version_added: "2.11" -author: "Michele Baldessari" -description: - - Takes a values-secret.yaml file and uploads the secrets into the HashiCorp Vault -options: - values_secrets: - description: - - Path to the values-secrets file (only one of values_secrets and - values_secrets_plaintext can be passed) - required: false - default: '' - type: str - values_secrets_plaintext: - description: - - The content of the values-secrets file (only one of values_secrets and - values_secrets_plaintext can be passed) - required: false - default: '' - type: str - namespace: - description: - - Namespace where the vault is running - required: false - type: str - default: vault - pod: - description: - - Name of the vault pod to use to inject secrets - required: false - type: str - default: vault-0 - basepath: - description: - - Vault's kv initial part of the path. This is only supported on version 1.0 of the - secret format - required: false - type: str - default: secret - check_missing_secrets: - description: - - Validate the ~/values-secret.yaml file against the top-level - values-secret-template.yaml and error out if secrets are missing - required: false - type: bool - default: False - values_secret_template: - description: - - Path of the values-secret-template.yaml file of the pattern - required: false - type: str - default: "" -""" - -RETURN = """ -""" - -EXAMPLES = """ -- name: Loads secrets file into the vault of a cluster - vault_load_secrets: - values_secrets: ~/values-secret.yaml -""" - - -def run(module): - """Main ansible module entry point""" - results = dict(changed=False) - - args = module.params - values_secrets = os.path.expanduser(args.get("values_secrets", "")) - values_secrets_plaintext = args.get("values_secrets_plaintext", "") - if values_secrets != "" and values_secrets_plaintext != "": - module.fail_json("Cannot pass both values_secret and values_secret_plaintext") - - values_secrets = os.path.expanduser(args.get("values_secrets")) - basepath = args.get("basepath") - namespace = args.get("namespace") - pod = args.get("pod") - check_missing_secrets = args.get("check_missing_secrets") - values_secret_template = args.get("values_secret_template") - - if values_secrets != "" and not os.path.exists(values_secrets): - results["failed"] = True - results["error"] = f"Missing {values_secrets} file" - results["msg"] = f"Values secrets file does not exist: {values_secrets}" - module.exit_json(**results) - - # We were passed a filename (aka the unencrypted path) - if values_secrets != "": - with open(values_secrets, "r", encoding="utf-8") as file: - syaml = yaml.safe_load(file.read()) - if syaml is None: - syaml = {} - elif isinstance(syaml, str): - module.fail_json(f"Could not parse {values_secrets} file as yaml") - elif values_secrets_plaintext != "": - syaml = yaml.safe_load(values_secrets_plaintext) - if syaml is None: - syaml = {} - elif isinstance(syaml, str): - module.fail_json("Could not parse values_secrets_plaintext as yaml") - else: - module.fail_json("Both values_secrets and values_secrets_plaintext are unset") - - version = get_version(syaml) - if version == "2.0": - secret_obj = LoadSecretsV2(module, syaml, namespace, pod) - elif version == "1.0": - secret_obj = LoadSecretsV1( - module, - syaml, - basepath, - namespace, - pod, - values_secret_template, - check_missing_secrets, - ) - - else: - module.fail_json(f"Version {version} is currently not supported") - - secret_obj.sanitize_values() - nr_secrets = secret_obj.inject_secrets() - results["failed"] = False - results["changed"] = True - results["msg"] = f"{nr_secrets} secrets injected" - module.exit_json(**results) - - -def main(): - """Main entry point where the AnsibleModule class is instantiated""" - module = AnsibleModule( - argument_spec=yaml.safe_load(DOCUMENTATION)["options"], - supports_check_mode=False, - ) - run(module) - - -if __name__ == "__main__": - main() diff --git a/common/ansible/roles/cluster_pre_check/defaults/main.yml b/common/ansible/roles/cluster_pre_check/defaults/main.yml deleted file mode 100644 index fd6cdd5c..00000000 --- a/common/ansible/roles/cluster_pre_check/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" -kubeconfig_backup: "{{ lookup('env', 'HOME') }}/.kube/config" diff --git a/common/ansible/roles/cluster_pre_check/tasks/main.yml b/common/ansible/roles/cluster_pre_check/tasks/main.yml deleted file mode 100644 index 1dc5f445..00000000 --- a/common/ansible/roles/cluster_pre_check/tasks/main.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: Check if the kubernetes python module is usable from ansible - ansible.builtin.command: "{{ ansible_python_interpreter }} -c 'import kubernetes'" - changed_when: false - -- name: Check if KUBECONFIG is correctly set - ansible.builtin.debug: - msg: "KUBECONFIG is not set, falling back to ~/.kube/config" - when: kubeconfig is not defined or kubeconfig | length == 0 - -- name: Check if ~/.kube/config exists - ansible.builtin.stat: - path: "{{ kubeconfig_backup }}" - register: kubeconfig_result - -- name: Check if we're running inside an OCP cluster directly - ansible.builtin.set_fact: - running_in_ocp: "{{ lookup('env', 'KUBERNETES_SERVICE_HOST') | length > 0 | bool }}" - -- name: Fail if both KUBECONFIG and ~/.kube/config do not exist but only when not running in a cluster - ansible.builtin.fail: - msg: "{{ kubeconfig_backup }} not found and KUBECONFIG unset. Bailing out." - failed_when: - - not running_in_ocp - - not kubeconfig_result.stat.exists - - kubeconfig is not defined or kubeconfig | length == 0 diff --git a/common/ansible/roles/find_vp_secrets/tasks/main.yml b/common/ansible/roles/find_vp_secrets/tasks/main.yml deleted file mode 100644 index ce847a01..00000000 --- a/common/ansible/roles/find_vp_secrets/tasks/main.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -# Once V1 support is dropped we can remove the whole secret_template support -- name: Set secret_template fact - no_log: "{{ override_no_log | default(true) }}" - ansible.builtin.set_fact: - secret_template: "{{ pattern_dir }}/values-secret.yaml.template" - -- name: Is a VALUES_SECRET env variable set? - ansible.builtin.set_fact: - custom_env_values_secret: "{{ lookup('ansible.builtin.env', 'VALUES_SECRET') }}" - -- name: Check if VALUES_SECRET file exists - ansible.builtin.stat: - path: "{{ custom_env_values_secret }}" - register: custom_file_values_secret - when: custom_env_values_secret | default('') | length > 0 - -- name: Set values-secret yaml file to {{ custom_file_values_secret.stat.path }} - ansible.builtin.set_fact: - found_file: "{{ custom_file_values_secret.stat.path }}" - when: - - custom_env_values_secret | default('') | length > 0 - - custom_file_values_secret.stat.exists - -# FIXME(bandini): Eventually around end of 2023(?) we should drop -# ~/values-secret-{{ pattern_name }}.yaml and ~/values-secret.yaml -- name: Find first existing values-secret yaml file - ansible.builtin.set_fact: - found_file: "{{ lookup('ansible.builtin.first_found', findme) }}" - vars: - findme: - - "~/.config/hybrid-cloud-patterns/values-secret-{{ pattern_name }}.yaml" - - "~/.config/validated-patterns/values-secret-{{ pattern_name }}.yaml" - - "~/values-secret-{{ pattern_name }}.yaml" - - "~/values-secret.yaml" - - "{{ pattern_dir }}/values-secret.yaml.template" - when: custom_env_values_secret | default('') | length == 0 - -- name: Is found values secret file encrypted - no_log: "{{ override_no_log | default(true) }}" - ansible.builtin.shell: | - set -o pipefail - head -1 "{{ found_file }}" | grep -q \$ANSIBLE_VAULT - changed_when: false - register: encrypted - failed_when: (encrypted.rc not in [0, 1]) - -# When HOME is set we replace it with '~' in this debug message -# because when run from inside the container the HOME is /pattern-home -# which is confusing for users -- name: Is found values secret file encrypted - ansible.builtin.debug: - msg: "Using {{ (lookup('env', 'HOME') | length > 0) | ternary(found_file | regex_replace('^' + lookup('env', 'HOME'), '~'), found_file) }} to parse secrets" - -- name: Set encryption bool fact - no_log: "{{ override_no_log | default(true) }}" - ansible.builtin.set_fact: - is_encrypted: "{{ encrypted.rc == 0 | bool }}" - -- name: Get password for "{{ found_file }}" - ansible.builtin.pause: - prompt: "Input the password for {{ found_file }}" - echo: false - when: is_encrypted - register: vault_pass - -- name: Get decrypted content if {{ found_file }} was encrypted - no_log: "{{ override_no_log | default(true) }}" - ansible.builtin.shell: - ansible-vault view --vault-password-file <(cat <<<"{{ vault_pass.user_input }}") "{{ found_file }}" - register: values_secret_plaintext - when: is_encrypted - changed_when: false - -- name: Normalize secrets format (un-encrypted) - no_log: '{{ override_no_log | default(true) }}' - ansible.builtin.set_fact: - values_secrets_data: "{{ lookup('file', found_file) | from_yaml }}" - when: not is_encrypted - changed_when: false - -- name: Normalize secrets format (encrypted) - no_log: '{{ override_no_log | default(true) }}' - ansible.builtin.set_fact: - values_secrets_data: "{{ values_secret_plaintext.stdout | from_yaml }}" - when: is_encrypted - changed_when: false diff --git a/common/ansible/roles/iib_ci/README.md b/common/ansible/roles/iib_ci/README.md deleted file mode 100644 index de4b4107..00000000 --- a/common/ansible/roles/iib_ci/README.md +++ /dev/null @@ -1,111 +0,0 @@ -# IIB Utilities - -A set of ansible plays to fetch an IIB (Image Index Bundle, aka a container created by the operator SDK -that contains a bunch of references to operators that can be installed in an OpenShift cluster) - -Run `ansible-playbook common/ansible/playbooks/iib-ci/lookup.yml` to see which IIBs are available (defaults to -openshift-gitops). If you want to look up IIBs for a different operator run: -`ansible-playbook -e operator=acm-operator common/ansible/playbooks/iib-ci/lookup.yml` - -You can also try running curl manually via: -`curl -sSL "https://datagrepper.engineering.redhat.com/raw?topic=/topic/VirtualTopic.eng.ci.redhat-container-image.index.built&delta=15780000&contains=acm-operator" | jq ".raw_messages[].msg"` - -Typically IIB are prerelease stuff that lives on some internal boxes. What these scripts do is fetch -the IIB internally, mirror it to the registry inside the cluster, parse all the needed images and mirror -those to the internal cluster registry and then set up the registries.conf files on all nodes so -that the images used are the ones pointing to the internal cluster. - -## Usage - -By default the operator to be installed from the IIB is `openshift-gitops-operator`. You can override this through the `OPERATOR` env variable. -For example, to mirror an operator into an existing cluster you would do the following: - -```sh -export KUBECONFIG=/tmp/foo/kubeconfig -export OPERATOR=openshift-gitops-operator -export IIB=492329 -export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:${IIB} -export KUBEADMINPASS="11111-22222-33333-44444" -# This will push the IIB and all the needed images for the default openshift-gitops-operator into the cluster -make load-iib -# This will install the pattern using the gitops operator from the IIB -``` - -***NOTE:*** When using an SNO without shared storage in a non-production environment, the enablement of the internal registry will fail. You need to run the following to enable it: - -```sh -oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"managementState":"Managed"}}' -oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}' -``` - -### Gitops operator - -Then in case of the `openshift-gitops-operator` we would install with: - -```sh -export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}') -make EXTRA_HELM_OPTS="--set main.gitops.operatorSource=iib-${IIB} --set main.gitops.channel=${CHANNEL}" install -``` - -### ACM operator - -The advanced-cluster-management operator is a little bit more complex than the others because it -also installes another operator called MCE multicluster-engine. So to install ACM you typically -need two IIBs (one for acm and one for mce). With those two at hand, do the following (the ordering must be -consistent: the first IIB corresponds to the first OPERATOR, etc). The following operation needs to be done -on both hub *and* spokes: - -```sh -for i in hub-kubeconfig-file spoke-kubeconfig-file; do - export KUBECONFIG="${i}" - export KUBEADMINPASS="11111-22222-33333-44444" - export OPERATOR=advanced-cluster-management,multicluster-engine - export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:713808,registry-proxy.engineering.redhat.com/rh-osbs/iib:718034 - make load-iib -done -``` - -Once the IIBs are loaded into the cluster we need to run the following steps: - -```sh -export ACM_CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-713808" --field-selector "metadata.name=advanced-cluster-management" -o jsonpath='{.items[0].status.defaultChannel}') -export MCE_CHANNEL=$(oc get -n openshift-margetplace packagemanifests -l "catalog=iib-718034" --field-selector "metadata.name=multicluster-engine" -o jsonpath='{.items[0].status.defaultChannel}') -make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions.acm.source --set main.extraParameters[0].value=iib-713808 \ - --set main.extraParameters[1].name=clusterGroup.subscriptions.acm.channel --set main.extraParameters[1].value=${ACM_CHANNEL} \ - --set main.extraParameters[2].name=acm.mce_operator.source --set main.extraParameters[2].value="iib-718034" \ - --set main.extraParameters[3].name=acm.mce_operator.channel --set main.extraParameters[3].value=${MCE_CHANNEL}" install -``` - -*Note*: In this case the `acm` in `clusterGroup.subscriptions.acm.*` is the name of the key in the subscriptions in `values-hub.yaml` - -### Other operators - -To install operators other than gitops and acm do the following: - -```sh -export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}') -make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions..source --set main.extraParameters[0].value=iib-${IIB} --set main.extraParameters[1].name=clusterGroup.subscriptions..channel --set main.extraParameters[1].value=${CHANNEL}" install -``` - -*Note*: Replace `` with the actual name of the subscription dictionary in `values-hub.yaml` - -## Useful commands - -* List IIBs for an operator: - -```sh -ansible-playbook common/ansible/playbooks/iib-ci/lookup.yml -... -ok: [localhost] => (item=v4.13) => { - "msg": "v4.13 -> {'indeximage': 'registry-proxy.engineering.redhat.com/rh-osbs/iib:509435', 'bundleimage': 'registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle:v99.9.0-106'}" -} -... -``` - -Override the `operator` value with the desired bundle name to figure out the last IIBs for it. - -* List all images uploaded to the internal registry: - -```sh -oc exec -it -n openshift-image-registry $(oc get pods -n openshift-image-registry -o json | jq -r '.items[].metadata.name | select(. | test("^image-registry-"))' | head -n1) -- bash -c "curl -k -u kubeadmin:$(oc whoami -t) https://localhost:5000/v2/_catalog" -``` diff --git a/common/ansible/roles/iib_ci/defaults/main.yml b/common/ansible/roles/iib_ci/defaults/main.yml deleted file mode 100644 index 397be608..00000000 --- a/common/ansible/roles/iib_ci/defaults/main.yml +++ /dev/null @@ -1,13 +0,0 @@ -rh_internal_registry: registry-proxy.engineering.redhat.com -iib_images: "{{ lookup('env', 'INDEX_IMAGES') }}" - -kubeadminpass: "{{ lookup('env', 'KUBEADMINPASS') }}" - -internal_registry_ns: openshift-marketplace -internal_registry_email: noemail@localhost -internal_registry_user: registry-custom-user -internal_registry_pass: "{{ lookup('env', 'INTERNAL_REGISTRY_USER') }}" - -# We can use default(, true) below because OPERATOR is a string and not -# a boolean -operator: "{{ lookup('env', 'OPERATOR') | default('openshift-gitops-operator', true) }}" diff --git a/common/ansible/roles/iib_ci/handlers/main.yml b/common/ansible/roles/iib_ci/handlers/main.yml deleted file mode 100644 index a983544d..00000000 --- a/common/ansible/roles/iib_ci/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for vault_utils diff --git a/common/ansible/roles/iib_ci/meta/main.yml b/common/ansible/roles/iib_ci/meta/main.yml deleted file mode 100644 index c9d7005d..00000000 --- a/common/ansible/roles/iib_ci/meta/main.yml +++ /dev/null @@ -1,29 +0,0 @@ -galaxy_info: - author: Validated Patterns Team https://github.com/hybrid-cloud-patterns/ - description: Internal module to work with IIBs (Image Index Bundles) - - issue_tracker_url: https://github.com/hybrid-cloud-patterns/common/issues - license: Apache-2.0 - min_ansible_version: "2.1" - - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - platforms: - - name: Fedora - versions: - - all - - name: Ubuntu - versions: - - all - - name: Debian - versions: - - all - - name: EL - versions: - - "8" - - "9" - - galaxy_tags: [] - -dependencies: [] diff --git a/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml b/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml deleted file mode 100644 index 391f2ac2..00000000 --- a/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml +++ /dev/null @@ -1,102 +0,0 @@ -# This task fetches all the images given an operator name -# the operator name is defined in the variable "item". This -# set of tasks is to be included in a loop that goes over the -# needed operators -- name: Get default channel in the IIB for "{{ item.key }}" - ansible.builtin.shell: | - oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ item.value['iib'] }}" --field-selector "metadata.name={{ item.key }}" \ - -o jsonpath='{.items[0].status.defaultChannel}' - register: default_channel_raw - retries: 10 - delay: 10 - until: default_channel_raw is not failed - -- name: Set default channel fact - ansible.builtin.set_fact: - default_channel: "{{ default_channel_raw.stdout }}" - -- name: Print default channel - ansible.builtin.debug: - msg: "Default channel for {{ item.key }}: {{ default_channel }}" - -- name: Get all related images in the IIB for "{{ item.key }}" - ansible.builtin.shell: | - oc get packagemanifests -l "catalog=iib-{{ item.value['iib'] }}" --field-selector "metadata.name={{ item.key }}" \ - -o jsonpath="{.items[0].status.channels[?(@.name==\"{{ default_channel }}\")].currentCSVDesc.relatedImages}" - register: related_images_raw - retries: 5 - delay: 10 - until: related_images_raw is not failed - -- name: Set related_images fact - ansible.builtin.set_fact: - related_images: "{{ related_images_raw.stdout }}" - -# NOTE(bandini) -# The following code is here to find out what the operator bundle image is and to make -# sure it is on the internal registry. -# This is all potentially hacky, but so far I could not find a single place in the cluster -# where the olm.bundle image is available. The info is in there in the IIB, but it certainly -# is not in any package manifest nor catalogsource. This is why we resort to invoking opm -# alpha commands inside the IIB image locally -- name: Pull the IIB locally - ansible.builtin.command: - podman pull "{{ item.value['iib_image'] }}" - -# $ opm alpha list channels /configs advanced-cluster-management -# PACKAGE CHANNEL HEAD -# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.4 -# advanced-cluster-management release-2.8 advanced-cluster-management.v2.8.0-130 -- name: Read the operator bundle from the default channel - ansible.builtin.shell: | - set -o pipefail - podman run -it --rm "{{ item.value['iib_image'] }}" alpha list channels /configs "{{ item.key }}" | grep -E "(\s){{ default_channel }}(\s)" | awk '{ print $3 }' - register: bundle_channel_raw - -- name: Set bundle fact - ansible.builtin.set_fact: - bundle_channel: "{{ bundle_channel_raw.stdout }}" - -- name: Fail if bundle_channel is empty - ansible.builtin.fail: - msg: "Failed to find bundle from channel: {{ bundle_channel_raw }}" - when: > - (bundle_channel is not defined) or (bundle_channel | length == 0) - -# $ opm alpha list bundles /configs advanced-cluster-management -# PACKAGE CHANNEL BUNDLE REPLACES SKIPS SKIP RANGE IMAGE -# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.0 >=2.6.0 <2.7.0 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:f63d0a9a0e3dc9d86e84279c50e9c613d8430e71a3821d418e168250ca3b747c -# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.1 advanced-cluster-management.v2.7.0 >=2.6.0 <2.7.1 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:a81a574f2f22d37681c44fe0c3b958074408705415de333de54d120145537533 -# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.2 advanced-cluster-management.v2.7.1 >=2.6.0 <2.7.2 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:8a2c758689eaebe6a287315ca18fd9122f323e195ea3410db005b6a449060fad -# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.3 advanced-cluster-management.v2.7.2 >=2.6.0 <2.7.3 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:208f4d9473a923817c102bb7e5f138d3e1e8ed3057a23a220ffa8fe9c0c27128 -# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.4 advanced-cluster-management.v2.7.3 >=2.6.0 <2.7.4 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:75b6438e08800b2e3608aeb01c1c0a68810108d9905fff35916afd21e6d32685 -# advanced-cluster-management release-2.8 advanced-cluster-management.v2.8.0-130 >=2.7.0 <2.8.0-130 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:6c385aa69256cdd964ae9e79e52ce52e1048391f0557af59843326c4ebe9bec0 -- name: Get bundle image - ansible.builtin.shell: | - set -o pipefail - podman run -it --rm "{{ item.value['iib_image'] }}" alpha list bundles /configs "{{ item.key }}" | grep -e "{{ default_channel }}\s\+{{ bundle_channel }}" | awk '{ print $NF }' - register: bundle_image_raw - -- name: Set bundle image fact - ansible.builtin.set_fact: - bundle_image: "{{ bundle_image_raw.stdout }}" - -- name: Fail if bundle_image is empty - ansible.builtin.fail: - msg: "Failed to find bundle image: {{ bundle_image_raw }}" - when: > - (bundle_image is not defined) or (bundle_image | length == 0) - -# all_images will be a list as follows: -# [ "registry.redhat.io/rh-sso-7/sso75-openshift-rhel8@sha256:d5829e880db4b82a50a4962d61ea148522a93644174931b256d7ad866eadcf40", -# "registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5ff915a399c1cc12d4f932652b410bf7399850934833e755267bdd409f4ce11b", -# "registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:81e0574159c6aaabe7125d27782a5e6e5e72383a4a0ba76b44d465f3a3098759", -# "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3", -# "registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:efbfb010f24894f715a50832a4b3d2cdc221f283cbbdca05e388850586e9d792", -# "registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf7ce748b703e195220b7bd7b42fa2caa4cdfd96840445e096036a0d85f1ff2", -# "registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8@sha256:10c5a1b6a0858a812117e6fb2b28d37617d9eb83da5e4fb647059ff740a14461", -# "registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:6a3eaee6a4f8cb9a35363bf4c7f83a7fa2042ae62bdaa700ecd0893dd52276f5", -# "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle@sha256:e463314596098a4e774e0dda..." ] -- name: Set all images fact (related images + operator bundles) - ansible.builtin.set_fact: - all_images: "{{ all_images + related_images + [bundle_image] }}" diff --git a/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml b/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml deleted file mode 100644 index 76a649b2..00000000 --- a/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml +++ /dev/null @@ -1,56 +0,0 @@ -- name: Set IIB local folder fact - ansible.builtin.set_fact: - iib_local_folder: "/tmp/manifest-{{ item.value['iib'] }}" - -- name: Remove manifest folder "{{ iib_local_folder }}" - ansible.builtin.file: - path: "{{ iib_local_folder }}" - state: absent - -- name: Create manifest folder "{{ iib_local_folder }}" - ansible.builtin.file: - path: "{{ iib_local_folder }}" - state: directory - mode: "0755" - -# This generates files in /tmp/manifest-IIB: -# - mapping.txt -# - catalogSource.yaml -# - imageContentSourcePolicy.yaml -- name: Mirror catalog manifests only to "{{ iib_local_folder }}" - ansible.builtin.shell: | - oc adm catalog mirror --insecure --manifests-only --to-manifests=. \ - "{{ item.value['iib_image'] }}" "{{ rh_internal_registry }}/rh-osbs" > catalog.log 2>&1 - args: - chdir: "{{ iib_local_folder }}" - -- name: Mirror IIB to "{{ mirror_iib }}" - ansible.builtin.shell: | - oc image mirror -a "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" \ - "{{ item.value['iib_image'] }}={{ mirror_iib }}" --insecure --keep-manifest-list 2>&1 - args: - chdir: "{{ iib_local_folder }}" - register: oc_mirror_result - retries: 10 - delay: 5 - until: oc_mirror_result is not failed - -- name: Template mirrored catalogsource - ansible.builtin.template: - src: ./templates/catalogSource.yaml.j2 - dest: "{{ iib_local_folder }}/mirrored-catalogsource.yaml" - mode: "0644" - -- name: Apply mirrored catalogsource - ansible.builtin.shell: | - oc apply -f "{{ iib_local_folder }}/mirrored-catalogsource.yaml" - -- name: Wait for catalogsource to show up - ansible.builtin.shell: | - oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ item.value['iib'] }}" --field-selector "metadata.name={{ item.key }}" \ - -o jsonpath='{.items[0].status.defaultChannel}' - register: oc_catalogsource_result - retries: 30 - delay: 10 - until: oc_catalogsource_result is not failed - changed_when: false diff --git a/common/ansible/roles/iib_ci/tasks/main.yml b/common/ansible/roles/iib_ci/tasks/main.yml deleted file mode 100644 index 4e8df11f..00000000 --- a/common/ansible/roles/iib_ci/tasks/main.yml +++ /dev/null @@ -1,76 +0,0 @@ -- name: Check for pre-requisite binaries presence - ansible.builtin.shell: | - which "{{ item }}" - with_items: - - skopeo - - oc - - podman - -- name: Check that INDEX_IMAGES env variable is set - ansible.builtin.fail: - msg: "INDEX_IMAGES: '{{ iib_images }}' is not set" - failed_when: - (iib_images is not defined or iib_images | length == 0) - -- name: Get cluster version - # E.g. 4.13.0-rc.6 or 4.12.16 - ansible.builtin.shell: | - oc get openshiftcontrollermanager/cluster -o yaml -o jsonpath='{.status.version}' - register: oc_version_raw - retries: 10 - delay: 10 - until: oc_version_raw is not failed - changed_when: false - -- name: Is OCP pre OCP 4.13? (aka registry supports v2 manifests) - ansible.builtin.set_fact: - ocp_413: "{{ oc_version_raw.stdout is version('4.13', '>=') }}" - -- name: Fail if OCP < 4.13 as we do not support it for IIB testing any longer - ansible.builtin.fail: - msg: "OCP versions < 4.13 are not support for IIB loading" - when: not ocp_413 - -- name: Set images array - ansible.builtin.set_fact: - iib_image_list: "{{ iib_images.split(',') }}" - -- name: Set operator array - ansible.builtin.set_fact: - operator_list: "{{ operator.split(',') }}" - -# Creates a dict like: -# "advanced-cluster-management": { -# "iib": "713808", -# "iib_image": "registry-proxy.engineering.redhat.com/rh-osbs/iib:713808" -# }, -# "multicluster-engine": { -# "iib": "713809", -# "iib_image": "registry-proxy.engineering.redhat.com/rh-osbs/iib:713809" -# } -- name: Set IIB dict - ansible.builtin.set_fact: - iib_dict: "{{ iib_dict | default({}) | combine({item.0: {'iib_image': item.1, 'iib': item.1.split(':')[-1]}}) }}" - with_together: - - "{{ operator_list }}" - - "{{ iib_image_list }}" - -- name: Working with the following IIB data - ansible.builtin.debug: - msg: "{{ iib_dict }}" - -- name: Set up internal registry (OCP >= 4.13) - ansible.builtin.include_tasks: setup-internal-registry.yml - -- name: Install new IIB in cluster - ansible.builtin.include_tasks: install-iib-in-cluster.yml - with_items: "{{ iib_dict | dict2items }}" - -- name: Mirror all related images - ansible.builtin.include_tasks: mirror-related-images.yml - with_items: "{{ iib_dict | dict2items }}" - -- name: Remove pullsecrets tempfolder - ansible.builtin.file: - path: "{{ pull_secrets_tempfolder.path }}" - state: absent diff --git a/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml b/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml deleted file mode 100644 index 74a0bc3b..00000000 --- a/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml +++ /dev/null @@ -1,217 +0,0 @@ -# We redefine this var so it is easier to run this task independently -- name: Set IIB local folder fact - ansible.builtin.set_fact: - iib_local_folder: "/tmp/manifest-{{ item.value['iib'] }}" - -- name: Set all images to empty list - ansible.builtin.set_fact: - all_images: [] - -- name: Fetch operator images tasks - ansible.builtin.include_tasks: fetch-operator-images.yml - -- name: Print all_images - ansible.builtin.debug: - msg: "{{ all_images }}" - -# A mapping.txt file will have lines like the following. Note how the image to the right of '=' -# does have a shortened hash! : -# registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5ff...=registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-rhel8:8256cca6 -# registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf..=registry-proxy.engineering.redhat.com/rh-osbs/openshift4-ose-haproxy-router:a636cbea -# -# Now what we are doing here is the following: -# 1. For every image we get from the bundle (contained in all_images var) we check if it exists. If it does great, skip to the next image -# 2. If the image was not found above, we take the corresponding URL on the right hand side of the '=' sign in mapping.txt -# except that we drop the hash that exists on the right hand-side and just use the one we were given with the image. -# If the image is found, great. If not we need to error out because we have no idea where we can fetch it from -- name: Find out which images really exist by consulting mapping.txt - ansible.builtin.shell: | - set -o pipefail - left_sha=$(echo "{{ image }}" | sed -e 's/^.*@//') - right=$(grep "{{ image }}" "{{ iib_local_folder }}/mapping.txt" | cut -f2 -d=) - right_base=$(echo $right | sed -e 's/:.*$//' -e 's/@.*$//') - right_log=$(echo "${right_base}@${left_sha}" | sed -e 's/\//-/g') - left_out=$(skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"{{ image }}" 2>&1) - left_ret=$? - if [ $left_ret -eq 0 ]; then - echo "{{ image }}" - else - echo "${left_out}" > /tmp/skopeo-"{{ image | regex_replace('/', '-') }}".log - right_out=$(skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"${right_base}@${left_sha}" 2>&1) - right_ret=$? - if [ $right_ret -eq 0 ]; then - echo "${right_base}@${left_sha}" - else # both left_ret and right_ret were != 0 - echo "${right_out}" > "/tmp/skopeo-${right_log}.log" - echo "ERROR: both {{ image }} and echo ${right_base}@${left_sha} could not be found" - echo "Printing both outputs:" - echo "Left out: ${left_out}" - echo "Right out: ${right_out}" - exit 1 - fi - fi - register: all_existing_images - with_items: "{{ all_images }}" - loop_control: - loop_var: image - -# The dictionary below will be in the following form: -# { -# "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle@sha256:e463314596098a4e774e0ddaed0009bfdad4d79b664e28fef219c796679ee6a0": { -# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle@sha256:e463314596098a4e774e0ddaed0009bfdad4d79b664e28fef219c796679ee6a0" -# }, -# "registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:81e0574159c6aaabe7125d27782a5e6e5e72383a4a0ba76b44d465f3a3098759": { -# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-argocd-rhel8@sha256:81e0574159c6aaabe7125d27782a5e6e5e72383a4a0ba76b44d465f3a3098759" -# }, -# "registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:6a3eaee6a4f8cb9a35363bf4c7f83a7fa2042ae62bdaa700ecd0893dd52276f5": { -# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-dex-rhel8@sha256:6a3eaee6a4f8cb9a35363bf4c7f83a7fa2042ae62bdaa700ecd0893dd52276f5" -# }, -# "registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:efbfb010f24894f715a50832a4b3d2cdc221f283cbbdca05e388850586e9d792": { -# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-rhel8-operator@sha256:efbfb010f24894f715a50832a4b3d2cdc221f283cbbdca05e388850586e9d792" -# }, -# "registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5ff915a399c1cc12d4f932652b410bf7399850934833e755267bdd409f4ce11b": { -# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-rhel8@sha256:5ff915a399c1cc12d4f932652b410bf7399850934833e755267bdd409f4ce11b" -# }, -# "registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8@sha256:10c5a1b6a0858a812117e6fb2b28d37617d9eb83da5e4fb647059ff740a14461": { -# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-kam-delivery-rhel8@sha256:10c5a1b6a0858a812117e6fb2b28d37617d9eb83da5e4fb647059ff740a14461" -# }, -# "registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf7ce748b703e195220b7bd7b42fa2caa4cdfd96840445e096036a0d85f1ff2": { -# "source": "registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf7ce748b703e195220b7bd7b42fa2caa4cdfd96840445e096036a0d85f1ff2" -# }, -# "registry.redhat.io/rh-sso-7/sso75-openshift-rhel8@sha256:d5829e880db4b82a50a4962d61ea148522a93644174931b256d7ad866eadcf40": { -# "source": "registry.redhat.io/rh-sso-7/sso75-openshift-rhel8@sha256:d5829e880db4b82a50a4962d61ea148522a93644174931b256d7ad866eadcf40" -# }, -# "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3": { -# "source": "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3" -# } -# } -- name: Create dict with full image name+sha -> url where we will fetch it from - ansible.builtin.set_fact: - image_urls: "{{ image_urls | default({}) | combine({item: {'source': all_existing_images.results[counter].stdout, - 'source_nosha': all_existing_images.results[counter].stdout | regex_replace('@.*$', '')}}, recursive=true) }}" - loop: "{{ all_images }}" - loop_control: - index_var: counter - -- name: Create dict with full image name+sha -> mirror destination (OCP >= 4.13) - ansible.builtin.set_fact: - image_urls: "{{ image_urls | default({}) | combine({item: - {'mirrordest': mirror_dest + item | basename, - 'mirrordest_nosha': (mirror_dest + item | basename) | regex_replace('@.*$', ''), - 'mirrordest_tag': 'tag-' + item | basename | regex_replace('^.*@sha256:', '')}}, recursive=true) }}" - loop: "{{ all_images }}" - -- name: Create dict with full image name+sha -> image key without sha - ansible.builtin.set_fact: - image_urls: "{{ image_urls | default({}) | combine({item: {'image_nosha': item | regex_replace('@.*$', '')}}, recursive=true) }}" - loop: "{{ all_images }}" - -# At this point the dictionary looks as follows: -# "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3": { -# "mirrordest": "default-route-openshift-image-registry.apps.mcg-hub.blueprints.rhecoeng.com/openshift-marketplace/redis-6@sha256:535... -# "mirrordest_nosha": "default-route-openshift-image-registry.apps.mcg-hub.blueprints.rhecoeng.com/openshift-marketplace/redis-6", -# "source": "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3", -# "source_nosha": "registry.redhat.io/rhel8/redis-6" -# } -- name: Print dict with full images - ansible.builtin.debug: - msg: "{{ image_urls }}" - -# OCP 4.13 uses the new fangled "ImageDigestMirrorSet" -- name: Template out imageMirror.yaml (OCP >= 4.13) - ansible.builtin.template: - src: ./templates/imageDigestMirror.yaml.j2 - dest: "{{ iib_local_folder }}/imageMirror.yaml" - mode: "0644" - -- name: Template out mirror.map - ansible.builtin.template: - src: ./templates/mirror.map.j2 - dest: "{{ iib_local_folder }}/mirror.map" - mode: "0644" - -# NOTE(bandini): mirror.map *must* have a tag (we use the IIB number) on the image on the right side -# otherwise, the image will be uplaoded and will exist in S3 but it won't exist in the registry's catalog!! -- name: Mirror all the needed images - ansible.builtin.shell: | - set -o pipefail - oc image mirror -a "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" -f mirror.map --insecure --keep-manifest-list 2>&1 | tee -a image-mirror.log - args: - chdir: "{{ iib_local_folder }}" - retries: 5 - delay: 2 - register: oc_mirror - until: oc_mirror is not failed - -- name: Fetch MCP observedGeneration worker - ansible.builtin.shell: - oc get mcp/worker -o jsonpath='{.status.observedGeneration}' - register: worker_observed_generation_raw - -- name: Fetch MCP machineCount worker - ansible.builtin.shell: - oc get mcp/worker -o jsonpath='{.status.machineCount}' - register: worker_machinecount_raw - -- name: Fetch MCP observedGeneration master - ansible.builtin.shell: - oc get mcp/master -o jsonpath='{.status.observedGeneration}' - register: master_observed_generation_raw - -- name: Fetch MCP machineCount master - ansible.builtin.shell: - oc get mcp/master -o jsonpath='{.status.machineCount}' - register: master_machinecount_raw - -- name: Will the imageMirror trigger any changes - ansible.builtin.command: - oc diff -f "{{ iib_local_folder }}/imageMirror.yaml" - failed_when: false - register: oc_mirror_diff - -# We only run this piece if there is an actual change in the mirror digest for images -# cannot use 'is failed' as that is always false when setting failed_when: false above -- name: Apply imageMirror and wait for MCP to complete - when: oc_mirror_diff.rc != 0 - block: - - name: Apply imageMirror - ansible.builtin.command: - oc apply -f "{{ iib_local_folder }}/imageMirror.yaml" - - # NOTE(bandini): The reason to not fail on these two observedGeneration waiting - # tasks, is to make this idempotent: If the 'oc apply' above does *not* trigger - # any changes, the observed generation tasks will just timeout. And then we still - # wait to make sure that the readyworker count is correct. - - name: Wait for MCP new observedGeneration worker - ansible.builtin.shell: - oc get mcp/worker -o jsonpath='{.status.observedGeneration}' - register: worker_current_observed_generation_raw - retries: 10 - delay: 20 - until: worker_current_observed_generation_raw.stdout != worker_observed_generation_raw.stdout - failed_when: false - - - name: Wait for MCP new observedGeneration master - ansible.builtin.shell: - oc get mcp/master -o jsonpath='{.status.observedGeneration}' - register: master_current_observed_generation_raw - retries: 10 - delay: 20 - until: master_current_observed_generation_raw.stdout != master_observed_generation_raw.stdout - failed_when: false - - - name: Wait for MCP readyMachineCount to be the same as before applying the digest (worker) - ansible.builtin.shell: - oc get mcp/worker -o jsonpath='{.status.readyMachineCount}' - register: worker_current_ready_machinecount_raw - retries: 30 - delay: 10 - until: worker_current_ready_machinecount_raw.stdout == worker_machinecount_raw.stdout - - - name: Wait for MCP readyMachineCount to be the same as before applying the digest (master) - ansible.builtin.shell: - oc get mcp/master -o jsonpath='{.status.readyMachineCount}' - register: master_current_ready_machinecount_raw - retries: 30 - delay: 10 - until: master_current_ready_machinecount_raw.stdout == master_machinecount_raw.stdout diff --git a/common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml b/common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml deleted file mode 100644 index e45def74..00000000 --- a/common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml +++ /dev/null @@ -1,108 +0,0 @@ -- name: Check KUBEADMINPASS is set - ansible.builtin.fail: - msg: "KUBEADMINPASS: '{{ kubeadminpass }}' is not set" - failed_when: kubeadminpass is not defined or kubeadminpass | length == 0 - -- name: Get kubeadmin api endpoint - ansible.builtin.command: - oc whoami --show-server=true - register: kubeadminapi_raw - -- name: Set kubeadminapi fact - ansible.builtin.set_fact: - kubeadminapi: "{{ kubeadminapi_raw.stdout }}" - -- name: Login via kubeadmin - ansible.builtin.command: | - oc login -u kubeadmin -p "{{ kubeadminpass }}" "{{ kubeadminapi }}" --insecure-skip-tls-verify=true - -- name: Get kubeadmin token - ansible.builtin.command: | - oc whoami -t - register: oc_whoami_raw - -- name: Set kubeadmin token - ansible.builtin.set_fact: - kubeadmin_token: "{{ oc_whoami_raw.stdout }}" - -- name: Expose internal registry route - ansible.builtin.shell: | - oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge - -- name: Fetch internal registry route value - ansible.builtin.command: - oc registry info --public=true - register: registry_route_raw - retries: 20 - delay: 20 - until: - - registry_route_raw is not failed - - registry_route_raw.stdout | length > 0 - -- name: Set route fact - ansible.builtin.set_fact: - registry_route: "{{ registry_route_raw.stdout }}" - -- name: Set registry allowedRegistries - ansible.builtin.shell: > - oc patch image.config.openshift.io/cluster --patch "{\"spec\":{\"registrySources\":{\"allowedRegistries\":[ \"registry.stage.redhat.io\", \"registry.access.redhat.com\", \"registry.connect.redhat.com\", \"ghcr.io\", \"gcr.io\", \"quay.io\", \"registry.redhat.io\", \"docker.io\", - \"registry-proxy.engineering.redhat.com\", \"image-registry.openshift-image-registry.svc:5000\", \"{{ registry_route }}\"]}}}" --type=merge - -- name: Set registry insecureRegistries - ansible.builtin.shell: > - oc patch image.config.openshift.io/cluster --patch "{\"spec\":{\"registrySources\":{\"insecureRegistries\":[ \"registry-proxy.engineering.redhat.com\", - \"image-registry.openshift-image-registry.svc:5000\", \"{{ registry_route }}\"]}}}" --type=merge - -- name: Get current cluster pull secrets - ansible.builtin.command: - oc extract secret/pull-secret -n openshift-config --to=- - register: pull_secrets_raw - -- name: Add local registry to pull secrets and set auth fact - ansible.builtin.set_fact: - pull_secrets_new: "{{ pull_secrets_raw.stdout | from_json }}" - internal_registry_auth: "{{ ('kubeadmin:' + kubeadmin_token) | b64encode }}" - -- name: Add local registry to pull secrets - ansible.builtin.set_fact: - pull_secrets: "{{ pull_secrets_new | combine({'auths': {registry_route: {'email': internal_registry_email, 'auth': internal_registry_auth}}}, recursive=true) }}" - -- name: Get a tempfile for the pull secrets - ansible.builtin.tempfile: - state: directory - register: pull_secrets_tempfolder - -- name: Store pull secrets in tempfile - ansible.builtin.copy: - dest: "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" - content: "{{ pull_secrets | to_nice_json }}" - mode: "0644" - -- name: Update pull-secret in the cluster - ansible.builtin.shell: | - oc set data secret/pull-secret -n openshift-config --from-file="{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" - -- name: Before proceeding here we need to make sure that the MCPs have all settled - ansible.builtin.shell: | - if [ $(oc get mcp/master -o jsonpath='{.status.readyMachineCount}') != $(oc get mcp/master -o jsonpath='{.status.machineCount}') ]; then - exit 1 - fi - if [ $(oc get mcp/worker -o jsonpath='{.status.readyMachineCount}') != $(oc get mcp/worker -o jsonpath='{.status.machineCount}') ]; then - exit 1 - fi - retries: 30 - delay: 20 - register: mcp_ready - until: mcp_ready is not failed - -- name: Login the internal registry with podman - ansible.builtin.command: - podman login --tls-verify=false --username unused --password "{{ kubeadmin_token }}" "{{ registry_route }}" - -- name: Set Mirror URL fact for internal mirror IIB - ansible.builtin.set_fact: - mirror_iib: "{{ registry_route }}/{{ internal_registry_ns }}/iib" - -- name: Set Mirror URL fact for internal mirror - ansible.builtin.set_fact: - mirror_dest: "{{ registry_route }}/{{ internal_registry_ns }}/" diff --git a/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 b/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 deleted file mode 100644 index e7498892..00000000 --- a/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: CatalogSource -metadata: - name: iib-{{ item.value['iib'] }} - namespace: {{ internal_registry_ns }} -spec: - image: {{ mirror_iib }}:{{ item.value['iib'] }} - sourceType: grpc - displayName: IIB {{ item.value['iib'] }} diff --git a/common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml b/common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml deleted file mode 100644 index 8fc41821..00000000 --- a/common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: config.openshift.io/v1 -kind: OAuth -metadata: - name: cluster -spec: - identityProviders: - - name: my_htpasswd_provider - mappingMethod: claim - type: HTPasswd - challenge: true - login: true - htpasswd: - fileData: - name: htpass-secret diff --git a/common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2 b/common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2 deleted file mode 100644 index d0f417ec..00000000 --- a/common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2 +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: operator.openshift.io/v1alpha1 -kind: ImageContentSourcePolicy -metadata: - labels: - operators.openshift.org/catalog: "true" - name: iib-{{ iib }} -spec: - repositoryDigestMirrors: -{% for item in image_urls.values() %} - - mirrors: - - {{ item.mirrordest_nosha }} - source: {{ item.source_nosha }} - mirrorSourcePolicy: NeverContactSource - - mirrors: - - {{ item.mirrordest_nosha }} - source: {{ item.image_nosha }} - mirrorSourcePolicy: NeverContactSource -{% endfor %} diff --git a/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 b/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 deleted file mode 100644 index 08a24735..00000000 --- a/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: config.openshift.io/v1 -kind: ImageDigestMirrorSet -metadata: - labels: - operators.openshift.org/catalog: "true" - name: iib-{{ item.value['iib'] }} -spec: - imageDigestMirrors: -{% for data in image_urls.values() %} - - mirrors: - - {{ data.mirrordest_nosha }} - source: {{ data.source_nosha }} - mirrorSourcePolicy: AllowContactingSource - - mirrors: - - {{ data.mirrordest_nosha }} - source: {{ data.image_nosha }} - mirrorSourcePolicy: AllowContactingSource -{% endfor %} diff --git a/common/ansible/roles/iib_ci/templates/mirror.map.j2 b/common/ansible/roles/iib_ci/templates/mirror.map.j2 deleted file mode 100644 index ecef721c..00000000 --- a/common/ansible/roles/iib_ci/templates/mirror.map.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{% for item in image_urls.values() %} -{{ item.source }}={{ item.mirrordest_nosha }}:{{ item.mirrordest_tag }} -{% endfor %} diff --git a/common/ansible/roles/iib_ci/vars/main.yml b/common/ansible/roles/iib_ci/vars/main.yml deleted file mode 100644 index 56894088..00000000 --- a/common/ansible/roles/iib_ci/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for iib_ci diff --git a/common/ansible/roles/k8s_secret_utils/defaults/main.yml b/common/ansible/roles/k8s_secret_utils/defaults/main.yml deleted file mode 100644 index 7ebda207..00000000 --- a/common/ansible/roles/k8s_secret_utils/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -secrets_ns: 'validated-patterns-secrets' diff --git a/common/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secret.yml b/common/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secret.yml deleted file mode 100644 index 283fb6a2..00000000 --- a/common/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secret.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Check for secrets namespace - no_log: false - kubernetes.core.k8s_info: - kind: Namespace - name: "{{ item['metadata']['namespace'] }}" - register: secrets_ns_rc - until: secrets_ns_rc.resources | length > 0 - retries: 20 - delay: 45 - -- name: Inject k8s secret - no_log: '{{ override_no_log | default(True) }}' - kubernetes.core.k8s: - definition: '{{ item }}' diff --git a/common/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secrets.yml b/common/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secrets.yml deleted file mode 100644 index a2299734..00000000 --- a/common/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secrets.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Inject secrets - no_log: '{{ override_no_log | default(True) }}' - ansible.builtin.include_tasks: inject_k8s_secret.yml - loop: '{{ kubernetes_secret_objects }}' diff --git a/common/ansible/roles/k8s_secret_utils/tasks/main.yml b/common/ansible/roles/k8s_secret_utils/tasks/main.yml deleted file mode 100644 index d72de7ae..00000000 --- a/common/ansible/roles/k8s_secret_utils/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Parse and extract k8s secrets from values-secret file - ansible.builtin.include_tasks: parse_secrets.yml - -- name: Inject k8s secrets - ansible.builtin.include_tasks: inject_k8s_secrets.yml diff --git a/common/ansible/roles/k8s_secret_utils/tasks/parse_secrets.yml b/common/ansible/roles/k8s_secret_utils/tasks/parse_secrets.yml deleted file mode 100644 index b1755cc2..00000000 --- a/common/ansible/roles/k8s_secret_utils/tasks/parse_secrets.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Parse secrets data - # no_log: '{{ override_no_log | default(true) }}' - parse_secrets_info: - values_secrets_plaintext: "{{ values_secrets_data }}" - secrets_backing_store: "{{ secrets_backing_store }}" - register: secrets_results - -- name: Return kubernetes objects - no_log: '{{ override_no_log | default(true) }}' - ansible.builtin.set_fact: - kubernetes_secret_objects: "{{ secrets_results['kubernetes_secret_objects'] }}" diff --git a/common/ansible/roles/vault_utils/README.md b/common/ansible/roles/vault_utils/README.md deleted file mode 100644 index ba26c702..00000000 --- a/common/ansible/roles/vault_utils/README.md +++ /dev/null @@ -1,241 +0,0 @@ -# Role Name - -Bunch of utilities to manage the vault inside k8s imperatively - -## Requirements - -ansible-galaxy collection install kubernetes.core (formerly known as community.kubernetes) - -## Role Variables - -Defaults as to where the values-secret.yaml file is and the two ways to connect to a kubernetes cluster -(KUBERCONFIG and ~/.kube/config respectively): - -```yaml -values_secret: "{{ lookup('env', 'HOME') }}/values-secret.yaml" -kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" -kubeconfig_backup: "{{ lookup('env', 'HOME') }}/.kube/config" -``` - -Default values for vault configuration: - -```yaml -vault_ns: "vault" -vault_pod: "vault-0" -vault_hub: "hub" -vault_hub_kubernetes_host: https://$KUBERNETES_PORT_443_TCP_ADDR:443 -# Needs extra escaping due to how it gets injected via shell in the vault -vault_hub_capabilities: '[\\\"read\\\"]' -vault_base_path: "secret" -vault_path: "{{ vault_base_path }}/{{ vault_hub }}" -vault_hub_ttl: "15m" -vault_pki_max_lease_ttl: "8760h" -external_secrets_ns: golang-external-secrets -external_secrets_sa: golang-external-secrets -unseal_secret: "vaultkeys" -unseal_namespace: "imperative" -``` - -## Dependencies - -This relies on [kubernetes.core](https://docs.ansible.com/ansible/latest/collections/kubernetes/core/k8s_module.html) - -## Vault out of the box configuration - -This role configures four secret paths in vault: - -1. `secret/global` - Any secret under this path is accessible in read-only only to all clusters known to ACM (hub and spokes) -2. `secret/hub` - Any secret under this path is accessible in read-only only to the ACM hub cluster -3. `secret/` - Any secret under this path is accessible in read-only only to the spoke cluster -4. `secret/pushsecrets` - Any secret here can be accessed in read and write mode to all clusters known to ACM. This area can - be used with ESO's `PushSecrets` so you can push an existing secret from one namespace, to the vault under this path and - then it can be retrieved by an `ExternalSecret` either in a different namespace *or* from an entirely different cluster. - -## Values secret file format - -Currently this role supports two formats: version 1.0 (which is the assumed -default when not specified) and version 2.0. The latter is more fatureful and -supports generating secrets directly into the vault and also prompting the user -for a secret. - -By default, the first file that will looked up is -`~/.config/hybrid-cloud-patterns/values-secret-.yaml`, then -`~/.config/validated-patterns/values-secret-.yaml`, -`~/values-secret-.yaml` and should that not exist it will look for -`~/values-secret.yaml`. -The paths can be overridden by setting the environment variable `VALUES_SECRET` to the path of the -secret file. - -The values secret YAML files can be encrypted with `ansible-vault`. If the role detects they are encrypted, the password to -decrypt them will be prompted when needed. - -### Version 2.0 - -Here is a version 2.0 example file (specifying `version: 2.0` is mandatory in this case): - -```yaml -# NEVER COMMIT THESE VALUES TO GIT (unless your file only uses generated -# passwords or only points to files) - -# Needed to specify the new format (missing version means old version: 1.0 by default) -version: 2.0 - -backingStore: vault # 'vault' is the default when omitted - -# These are the vault policies to be created in the vault -# these are used when we let the vault generate the passwords -# by setting the 'onMissingValue' attribute to 'generate' -# See https://developer.hashicorp.com/vault/docs/concepts/password-policies -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - - advancedPolicy: | - length=20 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - rule "charset" { charset = "!@#$%^&*" min-chars = 1 } - -# This is the mandatory top-level secrets entry -secrets: - # This will create the following keys + attributes: - # - secret/region-one/config-demo: - # secret: ...... - # secretprompt: ...... - # secretprompt2: ...... - # secretfile: ...... - # ca_crt_b64: ...... - # - secret/snowflake.blueprints.rhecoeng.com: - # secret: ...... - # secretprompt: ...... - # secretprompt2: ...... - # secretfile: ...... - # ca_crt_b64: ...... - - name: config-demo - # This is the default and passes the -mount=secret option to the vault commands - vaultMount: secret - # These represent the paths inside the vault maint - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret - onMissingValue: generate # One of: error,generate,prompt (generate is only valid for normal secrets) - # This override attribute is false by default. The attribute is only valid with 'generate'. If the secret already exists in the - # vault it won't be changed unless override is set to true - override: true - vaultPolicy: basicPolicy - - name: secretprompt - value: null - onMissingValue: prompt # when prompting for something you need to set either value: null or path: null as - # we need to know if it is a secret plaintext or a file path - description: "Please specify the password for application ABC" - - name: secretprompt2 - value: defaultvalue - onMissingValue: prompt - description: "Please specify the API key for XYZ" - - name: secretprompt3 - onMissingValue: generate - vaultPolicy: validatedPatternDefaultPolicy # This is an always-existing hard-coded policy - - name: secretfile - path: /tmp/ca.crt - onMissingValue: prompt - description: "Insert path to Certificate Authority" - - name: ca_crt - path: /tmp/ca.crt - onMissingValue: error # One of error, prompt (for path). generate makes no sense for file - - name: ca_crt_b64 - path: /tmp/ca.crt - base64: true # defaults to false - onMissingValue: prompt # One of error, prompt (for path). generate makes no sense for file - - - name: config-demo2 - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: ca_crt2 - path: /tmp/ca.crt # this will be the default shown when prompted - description: "Specify the path for ca_crt2" - onMissingValue: prompt # One of error, prompt (for path). generate makes no sense for file - - name: ca_crt - path: /tmp/ca.crt - onMissingValue: error # One of error, prompt (for path). generate makes no sense for file - - # The following will read the ini-file at ~/.aws/credentials and place the ini_key "[default]/aws_access_key_id" - # in the aws_access_key_id_test vault attribute in the secret/hub/awsexample path - - name: awsexample - fields: - - name: aws_access_key_id_test - ini_file: ~/.aws/credentials - ini_section: default - ini_key: aws_access_key_id - - name: aws_secret_access_key_test - ini_file: ~/.aws/credentials - ini_key: aws_secret_access_key -``` - -### Version 1.0 - -Here is a well-commented example of a version 1.0 file: - -```yaml ---- -# By default when a top-level 'version: 1.0' is missing it is assumed to be '1.0' -# NEVER COMMIT THESE VALUES TO GIT - -secrets: - # These secrets will be pushed in the vault at secret/hub/test The vault will - # have secret/hub/test with secret1 and secret2 as keys with their associated - # values (secrets) - test: - secret1: foo - secret2: bar - - # This ends up as the s3Secret attribute to the path secret/hub/aws - aws: - s3Secret: test-secret - -# This will create the vault key secret/hub/testfoo which will have two -# properties 'b64content' and 'content' which will be the base64-encoded -# content and the normal content respectively -files: - testfoo: ~/ca.crt -# These secrets will be pushed in the vault at secret/region1/test The vault will -# have secret/region1/test with secret1 and secret2 as keys with their associated -# values (secrets) -secrets.region1: - test: - secret1: foo1 - secret2: bar1 -# This will create the vault key secret/region2/testbar which will have two -# properties 'b64content' and 'content' which will be the base64-encoded -# content and the normal content respectively -files.region2: - testbar: ~/ca.crt -``` - -Internals ---------- - -Here is the rough high-level algorithm used to unseal the vault: - -1. Check vault status. If vault is not initialized go to 2. If initialized go to 3. -2. Initialize vault and store unseal keys + login token inside a secret in k8s -3. Check vault status. If vault is unsealed go to 5. else to to 4. -4. Unseal the vault using the secrets read from the k8s secret -5. Configure the vault (should be idempotent) - -## License - -Apache - -## Author Information - -Michele Baldessari diff --git a/common/ansible/roles/vault_utils/defaults/main.yml b/common/ansible/roles/vault_utils/defaults/main.yml deleted file mode 100644 index 7759db48..00000000 --- a/common/ansible/roles/vault_utils/defaults/main.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# defaults file for vault_utils -values_secret: "{{ lookup('env', 'HOME') }}/values-secret.yaml" -kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" -kubeconfig_backup: "{{ lookup('env', 'HOME') }}/.kube/config" -vault_ns: "vault" -vault_pod: "vault-0" -vault_hub: "hub" -vault_pvc: "data-vault-0" -vault_hub_kubernetes_host: https://$KUBERNETES_PORT_443_TCP_ADDR:443 -# Needs extra escaping due to how it gets injected via shell in the vault -vault_hub_capabilities: '[\\\"read\\\"]' -vault_base_path: "secret" -vault_path: "{{ vault_base_path }}/{{ vault_hub }}" -vault_hub_ttl: "15m" -vault_spoke_capabilities: '[\\\"read\\\"]' -vault_spoke_ttl: "15m" -vault_global_policy: global -vault_global_capabilities: '[\\\"read\\\"]' -vault_pushsecrets_policy: pushsecrets -vault_pushsecrets_capabilities: '[\\\"create\\\",\\\"read\\\",\\\"update\\\",\\\"delete\\\"]' -external_secrets_ns: golang-external-secrets -external_secrets_sa: golang-external-secrets -external_secrets_secret: golang-external-secrets -unseal_secret: "vaultkeys" -unseal_namespace: "imperative" diff --git a/common/ansible/roles/vault_utils/handlers/main.yml b/common/ansible/roles/vault_utils/handlers/main.yml deleted file mode 100644 index a983544d..00000000 --- a/common/ansible/roles/vault_utils/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for vault_utils diff --git a/common/ansible/roles/vault_utils/meta/main.yml b/common/ansible/roles/vault_utils/meta/main.yml deleted file mode 100644 index c99eb3a9..00000000 --- a/common/ansible/roles/vault_utils/meta/main.yml +++ /dev/null @@ -1,31 +0,0 @@ -galaxy_info: - author: Validated Patterns Team https://github.com/hybrid-cloud-patterns/ - description: Utilities to manage vault in kubernetes (init, unseal, etc) - - issue_tracker_url: https://github.com/hybrid-cloud-patterns/common/issues - license: Apache-2.0 - min_ansible_version: "2.1" - - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - platforms: - - name: Fedora - versions: - - all - - name: Ubuntu - versions: - - all - - name: Debian - versions: - - all - - name: EL - versions: - - "8" - - "9" - - galaxy_tags: [] - -dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. diff --git a/common/ansible/roles/vault_utils/tasks/main.yml b/common/ansible/roles/vault_utils/tasks/main.yml deleted file mode 100644 index 1072e6b7..00000000 --- a/common/ansible/roles/vault_utils/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: Run vault init tasks - ansible.builtin.import_tasks: vault_init.yaml - tags: vault_init - -- name: Unseal vault - ansible.builtin.import_tasks: vault_unseal.yaml - tags: vault_unseal - -- name: Vault secrets init - ansible.builtin.import_tasks: vault_secrets_init.yaml - tags: vault_secrets_init - -- name: Vault spoke backend init - ansible.builtin.import_tasks: vault_spokes_init.yaml - tags: vault_spokes_init - -- name: Load secrets - ansible.builtin.import_tasks: push_secrets.yaml - tags: push_secrets diff --git a/common/ansible/roles/vault_utils/tasks/push_parsed_secrets.yaml b/common/ansible/roles/vault_utils/tasks/push_parsed_secrets.yaml deleted file mode 100644 index cbca15e0..00000000 --- a/common/ansible/roles/vault_utils/tasks/push_parsed_secrets.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- name: "Do pre-checks for Vault" - ansible.builtin.include_role: - name: vault_utils - tasks_from: vault_status - -# Unfortunately we cannot loop vault_status and just check if the vault is unsealed -# https://github.com/ansible/proposals/issues/136 -# So here we keep running the 'vault status' command until sealed is set to false -- name: If the vault is still sealed we need to retry - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: vault status -format=json - register: vault_status_json - until: "'stdout' in vault_status_json and (not (vault_status_json.stdout | from_json)['sealed'] | bool)" - retries: 20 - delay: 45 - failed_when: "'stdout_lines' not in vault_status_json" - -# This step is not really needed when running make vault-init + load-secrets as -# everything is sequential -# It is needed when the vault is unsealed/configured inside the cluster and load-secrets -# gets run *while* the cronjob configures the vault. I.e. it might be half configured and return -# errors -- name: Make sure that the vault auth policy exists - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: - sh -c "vault list auth/{{ vault_hub }}/role | grep '{{ vault_hub }}-role'" - register: vault_role_cmd - until: - - vault_role_cmd.rc is defined - - vault_role_cmd.rc == 0 - retries: 20 - delay: 45 - changed_when: false - -- name: Load parsed secrets into cluster vault - vault_load_parsed_secrets: - vault_policies: "{{ vault_policies }}" - parsed_secrets: "{{ parsed_secrets }}" diff --git a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml b/common/ansible/roles/vault_utils/tasks/push_secrets.yaml deleted file mode 100644 index 7954dc47..00000000 --- a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -- name: Vault status check - ansible.builtin.include_tasks: vault_status.yaml - -# Unfortunately we cannot loop vault_status and just check if the vault is unsealed -# https://github.com/ansible/proposals/issues/136 -# So here we keep running the 'vault status' command until sealed is set to false -- name: If the vault is still sealed we need to retry - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: vault status -format=json - register: vault_status_json - until: "'stdout' in vault_status_json and (not (vault_status_json.stdout | from_json)['sealed'] | bool)" - retries: 20 - delay: 45 - failed_when: "'stdout_lines' not in vault_status_json" - -# This step is not really needed when running make vault-init + load-secrets as -# everything is sequential -# It is needed when the vault is unsealed/configured inside the cluster and load-secrets -# gets run *while* the cronjob configures the vault. I.e. it might be half configured and return -# errors -- name: Make sure that the vault auth policy exists - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: - sh -c "vault list auth/{{ vault_hub }}/role | grep '{{ vault_hub }}-role'" - register: vault_role_cmd - until: - - vault_role_cmd.rc is defined - - vault_role_cmd.rc == 0 - retries: 20 - delay: 45 - changed_when: false - -# Once V1 support is dropped we can remove the whole secret_template support -- name: Set secret_template fact - no_log: true - ansible.builtin.set_fact: - secret_template: "{{ pattern_dir }}/values-secret.yaml.template" - -- name: Is a VALUES_SECRET env variable set? - ansible.builtin.set_fact: - custom_env_values_secret: "{{ lookup('ansible.builtin.env', 'VALUES_SECRET') }}" - -- name: Check if VALUES_SECRET file exists - ansible.builtin.stat: - path: "{{ custom_env_values_secret }}" - register: custom_file_values_secret - when: custom_env_values_secret | default('') | length > 0 - -- name: Set values-secret yaml file to {{ custom_file_values_secret.stat.path }} - ansible.builtin.set_fact: - found_file: "{{ custom_file_values_secret.stat.path }}" - when: - - custom_env_values_secret | default('') | length > 0 - - custom_file_values_secret.stat.exists - -# FIXME(bandini): Eventually around end of 2023(?) we should drop -# ~/values-secret-{{ pattern_name }}.yaml and ~/values-secret.yaml -- name: Find first existing values-secret yaml file - ansible.builtin.set_fact: - found_file: "{{ lookup('ansible.builtin.first_found', findme) }}" - vars: - findme: - - "~/.config/hybrid-cloud-patterns/values-secret-{{ pattern_name }}.yaml" - - "~/.config/validated-patterns/values-secret-{{ pattern_name }}.yaml" - - "~/values-secret-{{ pattern_name }}.yaml" - - "~/values-secret.yaml" - - "{{ pattern_dir }}/values-secret.yaml.template" - when: custom_env_values_secret | default('') | length == 0 - -- name: Is found values secret file encrypted - no_log: true - ansible.builtin.shell: | - set -o pipefail - head -1 "{{ found_file }}" | grep -q \$ANSIBLE_VAULT - changed_when: false - register: encrypted - failed_when: (encrypted.rc not in [0, 1]) - -# When HOME is set we replace it with '~' in this debug message -# because when run from inside the container the HOME is /pattern-home -# which is confusing for users -- name: Is found values secret file encrypted - ansible.builtin.debug: - msg: "Using {{ (lookup('env', 'HOME') | length > 0) | ternary(found_file | regex_replace('^' + lookup('env', 'HOME'), '~'), found_file) }} to parse secrets" - -- name: Set encryption bool fact - no_log: true - ansible.builtin.set_fact: - is_encrypted: "{{ encrypted.rc == 0 | bool }}" - -- name: Get password for "{{ found_file }}" - ansible.builtin.pause: - prompt: "Input the password for {{ found_file }}" - echo: false - when: is_encrypted - register: vault_pass - -- name: Get decrypted content if {{ found_file }} was encrypted - no_log: true - ansible.builtin.shell: - ansible-vault view --vault-password-file <(cat <<<"{{ vault_pass.user_input }}") "{{ found_file }}" - register: values_secret_plaintext - when: is_encrypted - changed_when: false - -- name: Loads secrets file into the vault of a cluster - no_log: false - vault_load_secrets: - values_secrets: "{{ found_file }}" - check_missing_secrets: false - values_secret_template: "{{ secret_template }}" - when: not is_encrypted - -- name: Loads secrets file into the vault of a cluster - no_log: false - vault_load_secrets: - values_secrets_plaintext: "{{ values_secret_plaintext.stdout }}" - check_missing_secrets: false - values_secret_template: "{{ secret_template }}" - when: is_encrypted diff --git a/common/ansible/roles/vault_utils/tasks/vault_init.yaml b/common/ansible/roles/vault_utils/tasks/vault_init.yaml deleted file mode 100644 index 38e1e911..00000000 --- a/common/ansible/roles/vault_utils/tasks/vault_init.yaml +++ /dev/null @@ -1,47 +0,0 @@ ---- -- name: Vault status check - ansible.builtin.include_tasks: vault_status.yaml - -# If the vault is already initialized we skip all the tasks below -- name: Is the vault initialized? - ansible.builtin.set_fact: - vault_initialized: "{{ vault_status['initialized'] | bool }}" - -# We need to retry here because the vault service might be starting -# and can return a 500 internal server until its state is fully ready -- name: Init vault operator - no_log: true - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: vault operator init -format=json - register: vault_init_json_out - until: vault_init_json_out is not failed - retries: 10 - delay: 15 - when: not vault_initialized - -- name: Set vault init output json fact - no_log: true - ansible.builtin.set_fact: - vault_init_json: "{{ vault_init_json_out.stdout | from_json }}" - when: not vault_initialized - -# We store the the operator unseal keys and root token to a secret inside -# the cluster when the vault was not already initialized *and* when -# unseal_from_cluster is set to true -- name: Save vault operator output (into a secret inside the cluster) - no_log: true - kubernetes.core.k8s: - state: present - definition: - apiVersion: v1 - kind: Secret - type: Opaque - metadata: - name: "{{ unseal_secret }}" - namespace: "{{ unseal_namespace }}" - data: - vault_data_json: "{{ vault_init_json | to_nice_json | b64encode }}" - when: - - not vault_initialized diff --git a/common/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml b/common/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml deleted file mode 100644 index 8a098a7c..00000000 --- a/common/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml +++ /dev/null @@ -1,118 +0,0 @@ ---- -- name: Is secrets backend already enabled - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: > - bash -e -c "vault secrets list | grep -e '^{{ vault_base_path }}'" - register: secrets_enabled - failed_when: false - -- name: Create secrets backend kv-v2 - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: vault secrets enable -path="{{ vault_base_path }}" kv-v2 - when: secrets_enabled.rc != 0 - -- name: Is kubernetes backend already enabled - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: > - bash -e -c "vault auth list | grep -e '^{{ vault_hub }}'" - register: kubernetes_enabled - failed_when: false - -- name: Enable kubernetes backend on hub - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: "vault auth enable -path={{ vault_hub }} kubernetes" - when: kubernetes_enabled.rc != 0 - -- name: Get token from service account secret {{ external_secrets_ns }}/{{ external_secrets_secret }} - no_log: true - kubernetes.core.k8s_info: - kind: Secret - namespace: "{{ external_secrets_ns }}" - name: "{{ external_secrets_secret }}" - api_version: v1 - register: token_data - failed_when: token_data.resources | length == 0 - -- name: Set sa_token fact - no_log: true - ansible.builtin.set_fact: - sa_token: "{{ token_data.resources[0].data.token | b64decode }}" - -- name: Configure hub kubernetes backend - no_log: true - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: bash -e -c "vault write auth/{{ vault_hub }}/config token_reviewer_jwt={{ sa_token }} - kubernetes_host={{ vault_hub_kubernetes_host }} - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - issuer=https://kubernetes.default.svc" - -# This creates a {{ vault_global_policy }} policy that is applied to both hubs and spokes -- name: Configure VP global policy template - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: > - bash -e -c "echo \"path \\\"secret/data/{{ vault_global_policy }}/*\\\" { - capabilities = {{ vault_global_capabilities }} }\" > /tmp/policy-{{ vault_global_policy }}.hcl" - -- name: Configure VP global policy - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: "vault policy write {{ vault_global_policy }}-secret /tmp/policy-{{ vault_global_policy }}.hcl" - -- name: Configure VP pushsecrets policy template - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: > - bash -e -c "echo \"path \\\"secret/data/{{ vault_pushsecrets_policy }}/*\\\" { - capabilities = {{ vault_pushsecrets_capabilities }} }\" > /tmp/policy-{{ vault_pushsecrets_policy }}.hcl" - -- name: Add metadata path to the pushsecrets policy - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: > - bash -e -c "echo \"path \\\"secret/metadata/{{ vault_pushsecrets_policy }}/*\\\" { - capabilities = {{ vault_pushsecrets_capabilities }} }\" >> /tmp/policy-{{ vault_pushsecrets_policy }}.hcl" - -- name: Configure VP pushsecrets policy - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: "vault policy write {{ vault_pushsecrets_policy }}-secret /tmp/policy-{{ vault_pushsecrets_policy }}.hcl" - -- name: Configure policy template for hub - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: > - bash -e -c "echo \"path \\\"secret/data/{{ vault_hub }}/*\\\" { - capabilities = {{ vault_hub_capabilities }} }\" > /tmp/policy-{{ vault_hub }}.hcl" - -- name: Configure policy for hub - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: "vault policy write {{ vault_hub }}-secret /tmp/policy-{{ vault_hub }}.hcl" - -- name: Configure kubernetes role for hub - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: > - vault write auth/"{{ vault_hub }}"/role/"{{ vault_hub }}"-role - bound_service_account_names="{{ external_secrets_sa }}" - bound_service_account_namespaces="{{ external_secrets_ns }}" - policies="default,{{ vault_global_policy }}-secret,{{ vault_pushsecrets_policy }}-secret,{{ vault_hub }}-secret" ttl="{{ vault_hub_ttl }}" diff --git a/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml b/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml deleted file mode 100644 index bafe490b..00000000 --- a/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml +++ /dev/null @@ -1,228 +0,0 @@ ---- -- name: Find managed clusters - kubernetes.core.k8s_info: - kind: ManagedCluster - api_version: "cluster.open-cluster-management.io/v1" - register: managed_clusters - -- name: Set resource fact - ansible.builtin.set_fact: - resources: "{{ managed_clusters['resources'] }}" - -- name: Do nothing when no managed clusters are found - ansible.builtin.meta: end_play - when: resources | length == 0 or managed_clusters.failed or not managed_clusters.api_found - -- name: Loop over returned ACM managedclusters - ansible.builtin.set_fact: - clusters: "{{ clusters | default({}) | combine({item.metadata.name: {'caBundle': item.spec.managedClusterClientConfigs[0].caBundle | b64decode}}) }}" - loop: "{{ resources }}" - when: item.spec.managedClusterClientConfigs[0].caBundle is defined - loop_control: - label: "{{ item.metadata.name }}" - -- name: Extract ClusterGroup - ansible.builtin.set_fact: - clusters: "{{ clusters | default({}) | combine({item.metadata.name: {'clusterGroup': item.metadata.labels.clusterGroup}}, recursive=True) }}" - when: "'clusterGroup' in item.metadata.labels" - loop: "{{ resources }}" - loop_control: - label: "{{ item.metadata.name }}" - -- name: Fetch all ACM secrets - kubernetes.core.k8s_info: - kind: Secret - label_selectors: - - "apps.open-cluster-management.io/secret-type=acm-cluster" - register: acm_secrets - -- name: Set cleaned_acm_secrets fect - ansible.builtin.set_fact: - cleaned_acm_secrets: "{{ acm_secrets.resources | parse_acm_secrets }}" - -- name: Merge the two dicts together - ansible.builtin.set_fact: - clusters_info: "{{ clusters | default({}) | combine(cleaned_acm_secrets, recursive=True) }}" - -- name: Write out CAs - ansible.builtin.copy: - content: "{{ item.value['caBundle'] }}" - dest: "/tmp/{{ item.key }}.ca" - mode: "0640" - loop: "{{ clusters_info | dict2items }}" - when: item.value['caBundle'] is defined - loop_control: - label: "{{ item.key }}" - -# FIXME(bandini): validate_certs is false due to an ACM bug when using -# letsencrypt certificates with API endpoints: https://issues.redhat.com/browse/ACM-4398 -# We always verify the CA chain except when letsencrypt.api_endpoint is set to true -- name: If we are using letsencrypt on the API endpoints we cannot use the validate_certs later - ansible.builtin.set_fact: - validate_certs_api_endpoint: "{{ not letsencrypt.api_endpoint | default(True) | bool }}" - -- name: Fetch remote ansible to remote cluster - kubernetes.core.k8s_info: - api_key: "{{ item.value['bearerToken'] }}" - ca_cert: /tmp/{{ item.key }}.ca - host: "{{ item.value['server_api'] }}" - kind: Secret - namespace: "{{ external_secrets_ns }}" - name: "{{ external_secrets_secret }}" - api_version: v1 - validate_certs: "{{ validate_certs_api_endpoint }}" - register: remote_external_secrets_sa - # We are allowed to ignore errors here because a spoke might be down or unreachable - # if a spoke is not reachable then its ['token'] field will not be set which - # will leave the ['esoToken'] field empty in the dict which will make it so that - # the spoke gets skipped - ignore_errors: true - # We add no_log: true here because in case of a remote failure secret bits might - # end up in the log. Unfortunately ansible is currently not easily able to control - # output in a loop (see - # https://serverfault.com/questions/1059530/how-to-not-print-items-in-an-ansible-loop-error-without-no-log) - no_log: true - when: - - clusters_info[item.key]['bearerToken'] is defined - - clusters_info[item.key]['server_api'] is defined - - clusters_info[item.key]['caBundle'] is defined - loop: "{{ clusters_info | dict2items }}" - loop_control: - label: "{{ item.key }}" - -# 'token' will be empty if the remote cluster has no golang-external-secret -# app configured and running -- name: Loop over returned ESO tokens - ansible.builtin.set_fact: - clusters_info: "{{ clusters_info | default({}) | combine({item['item']['key']: {'esoToken': item['resources'][0]['data']['token'] | b64decode}}, recursive=True) }}" - loop: "{{ remote_external_secrets_sa.results }}" - when: item['resources'][0]['data']['token'] is defined - loop_control: - label: "{{ item['item']['key'] }}" - -# At this point clusters_info contains a per cluster hash table with *all* the right attributes. For example: -# "mcg-one": { -# "bearerToken": "ey...", -# "caBundle": "-----BEGIN CERTIFICATE-----\nMIIDMjCCA", -# "clusterGroup": "group-one", -# "cluster_fqdn": "mcg-one.blueprints.rhecoeng.com", -# "vault_path": "hub" (when the hub) and the cluster_fqdn when not hub, -# "esoToken": (optional) only if there was an external golang-external-secrets namespace+service account -# "name": "mcg-one", -# "server_api": "https://api.mcg-one.blueprints.rhecoeng.com:6443", -# "tlsClientConfig": { -# "insecure": true -# } -# } -- name: Dump CABundles into the vault - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: bash -e -c "echo '{{ item.value['caBundle'] }}' > /tmp/{{ item.value['vault_path'] }}.ca" - loop: "{{ clusters_info | dict2items }}" - when: - - item.value['esoToken'] is defined - - item.key != "local-cluster" - loop_control: - label: "{{ item.key }}" - -- name: Is kubernetes backend already enabled - no_log: true - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: bash -e -c "if vault auth list | grep -e ^'{{ item.value['vault_path'] }}'; then - echo done; else - vault auth enable -path='{{ item.value['vault_path'] }}' kubernetes; fi" - loop: "{{ clusters_info | dict2items }}" - when: - - item.value['esoToken'] is defined - - item.key != "local-cluster" - loop_control: - label: "{{ item.key }}" - -- name: Configure kubernetes backend - no_log: true - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: bash -e -c "vault write auth/{{ item.value['vault_path'] }}/config - token_reviewer_jwt=\"{{ item.value['esoToken'] }}\" - kubernetes_host=\"{{ item.value['server_api'] }}\" - kubernetes_ca_cert=@/tmp/{{ item.value['vault_path'] }}.ca" - loop: "{{ clusters_info | dict2items }}" - when: - - item.value['esoToken'] is defined - - item.key != "local-cluster" - loop_control: - label: "{{ item.key }}" - -- name: Configure spoke policy template - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: > - bash -e -c "echo \"path \\\"secret/data/{{ item.value['vault_path'] }}/*\\\" { - capabilities = {{ vault_spoke_capabilities }} }\" > /tmp/policy-{{ item.value['vault_path'] }}.hcl" - loop: "{{ clusters_info | dict2items }}" - when: - - item.value['esoToken'] is defined - - item.key != "local-cluster" - loop_control: - label: "{{ item.key }}" - -- name: Configure spoke pushsecrets policy template - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: > - bash -e -c "echo \"path \\\"secret/data/{{ vault_pushsecrets_policy }}/*\\\" { - capabilities = {{ vault_pushsecrets_capabilities }} }\" >> /tmp/policy-{{ item.value['vault_path'] }}.hcl" - loop: "{{ clusters_info | dict2items }}" - when: - - item.value['esoToken'] is defined - - item.key != "local-cluster" - loop_control: - label: "{{ item.key }}" - -- name: Configure spoke pushsecrets metadata policy template - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: > - bash -e -c "echo \"path \\\"secret/metadata/{{ vault_pushsecrets_policy }}/*\\\" { - capabilities = {{ vault_pushsecrets_capabilities }} }\" >> /tmp/policy-{{ item.value['vault_path'] }}.hcl" - loop: "{{ clusters_info | dict2items }}" - when: - - item.value['esoToken'] is defined - - item.key != "local-cluster" - loop_control: - label: "{{ item.key }}" - -- name: Configure policy for spokes - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: "vault policy write {{ item.value['vault_path'] }}-secret /tmp/policy-{{ item.value['vault_path'] }}.hcl" - loop: "{{ clusters_info | dict2items }}" - when: - - item.value['esoToken'] is defined - - item.key != "local-cluster" - loop_control: - label: "{{ item.key }}" - -- name: Configure kubernetes role for spokes - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: > - vault write auth/"{{ item.value['vault_path'] }}"/role/"{{ item.value['vault_path'] }}"-role - bound_service_account_names="{{ external_secrets_sa }}" - bound_service_account_namespaces="{{ external_secrets_ns }}" - policies="default,{{ vault_global_policy }}-secret,{{ vault_pushsecrets_policy }}-secret,{{ item.value['vault_path'] }}-secret" ttl="{{ vault_spoke_ttl }}" - loop: "{{ clusters_info | dict2items }}" - when: - - item.value['esoToken'] is defined - - item.key != "local-cluster" - loop_control: - label: "{{ item.key }}" diff --git a/common/ansible/roles/vault_utils/tasks/vault_status.yaml b/common/ansible/roles/vault_utils/tasks/vault_status.yaml deleted file mode 100644 index 9dc3e426..00000000 --- a/common/ansible/roles/vault_utils/tasks/vault_status.yaml +++ /dev/null @@ -1,61 +0,0 @@ ---- -# Registers a variable valled vault_status containing the vault's status json dict -- name: Check for vault namespace - kubernetes.core.k8s_info: - kind: Namespace - name: "{{ vault_ns }}" - register: vault_ns_rc - until: vault_ns_rc.resources | length > 0 - retries: 20 - delay: 45 - -- name: Check if the vault pod is present - kubernetes.core.k8s_info: - kind: Pod - namespace: "{{ vault_ns }}" - name: "{{ vault_pod }}" - register: vault_pod_rc - until: vault_pod_rc.resources | length > 0 - retries: 20 - delay: 45 - -# This needs retrying because during startup we can just get -# Failed to execute on pod vault-0 due to : (0)\nReason: Handshake status 500 Internal Server Error -# In the above case there is no 'rc' in vault_status. So first we wait for 'rc' to show up and ignore -# any errors, and then we bail out if rc is 2 as it means the vault is already initialized -- name: Check for the vault status - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: vault status -format=json - register: vault_status_json - until: "'rc' in vault_status_json" - retries: 20 - delay: 45 - failed_when: "'stdout_lines' not in vault_status_json" - -- name: Set vault status output json fact - ansible.builtin.set_fact: - vault_status: "{{ vault_status_json.stdout | from_json }}" - when: vault_status_json.stdout_lines | length > 0 - -- name: List Vault pods - kubernetes.core.k8s_info: - namespace: "{{ vault_ns }}" - kind: Pod - label_selectors: - - "component = server" - register: vault_pods_list - -- name: "Get pods" - ansible.builtin.set_fact: - vault_pods: "{{ vault_pods + [item.metadata.name] }}" - loop: "{{ vault_pods_list.resources }}" - loop_control: - label: "{{ item.metadata.name }}" - vars: - vault_pods: [] - -- name: "Followers" - ansible.builtin.set_fact: - followers: "{{ vault_pods | difference(vault_pod) }}" diff --git a/common/ansible/roles/vault_utils/tasks/vault_unseal.yaml b/common/ansible/roles/vault_utils/tasks/vault_unseal.yaml deleted file mode 100644 index 43232ac7..00000000 --- a/common/ansible/roles/vault_utils/tasks/vault_unseal.yaml +++ /dev/null @@ -1,88 +0,0 @@ ---- -- name: Vault status check - ansible.builtin.include_tasks: vault_status.yaml - -# If the vault is already unsealed we skip all the tasks below -- name: Is the vault sealed? - ansible.builtin.set_fact: - vault_sealed: "{{ vault_status['sealed'] | bool }}" - -# We reparse the json vault init secret in case unseal was called without operator init before -- name: Parse vaultkeys - kubernetes.core.k8s_info: - kind: Secret - namespace: "{{ unseal_namespace }}" - name: "{{ unseal_secret }}" - api_version: v1 - register: vault_init_data - when: vault_sealed - -- name: Does the vaultkeys secret exist? - ansible.builtin.set_fact: - vaultkeys_exists: "{{ vault_init_data.resources | length > 0 }}" - when: vault_sealed - -- name: Vaultkeys does not exist and the vault is sealed, so exit - ansible.builtin.meta: end_play - when: - - vault_sealed - - not vaultkeys_exists - -- name: Set vault init json - ansible.builtin.set_fact: - vault_init_json: "{{ vault_init_data.resources[0].data.vault_data_json | b64decode | from_json }}" - when: vault_sealed - -- name: Set root token and unseal_keys - ansible.builtin.set_fact: - root_token: "{{ vault_init_json['root_token'] }}" - unseal_keys: "{{ vault_init_json['unseal_keys_hex'] }}" - when: vault_sealed - -- name: Unseal leader - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: vault operator unseal "{{ item }}" - loop: "{{ unseal_keys }}" - loop_control: - extended: true - label: "Unsealing with key {{ ansible_loop.index }}" - when: vault_sealed - -- name: Join Raft cluster - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ item }}" - command: vault operator raft join http://{{ vault_pod }}.{{ vault_ns }}-internal:8200 - register: join_raft_cluster_out - until: join_raft_cluster_out is not failed - retries: 10 - delay: 15 - loop: "{{ followers }}" - loop_control: - extended: true - label: "Joining Raft Cluster on http://{{ vault_pod }}.{{ vault_ns }}-internal:8200" - when: - - vault_sealed - - followers | length > 0 - -- name: Unseal followers - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ item.0 }}" - command: vault operator unseal "{{ item.1 }}" - loop: "{{ followers | product(unseal_keys) | list }}" - loop_control: - extended: true - label: "Unsealing {{ item.0 }} with key {{ ansible_loop.index }}" - when: - - vault_sealed - - followers | length > 0 - -- name: Login into vault - kubernetes.core.k8s_exec: - namespace: "{{ vault_ns }}" - pod: "{{ vault_pod }}" - command: vault login "{{ root_token }}" - when: vault_sealed diff --git a/common/ansible/roles/vault_utils/tests/inventory b/common/ansible/roles/vault_utils/tests/inventory deleted file mode 100644 index 878877b0..00000000 --- a/common/ansible/roles/vault_utils/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/common/ansible/roles/vault_utils/tests/test.yml b/common/ansible/roles/vault_utils/tests/test.yml deleted file mode 100644 index b4da5c68..00000000 --- a/common/ansible/roles/vault_utils/tests/test.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Test Play - hosts: localhost - remote_user: root - roles: - - vault_utils diff --git a/common/ansible/roles/vault_utils/values-secrets.v1.schema.json b/common/ansible/roles/vault_utils/values-secrets.v1.schema.json deleted file mode 100644 index 3cb8c530..00000000 --- a/common/ansible/roles/vault_utils/values-secrets.v1.schema.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-06/schema#", - "$ref": "#/definitions/valuesSecretsV1", - "meta:license": [ - "Copyright 2022 Red Hat, Inc. All rights reserved.", - "This file is licensed to you under the Apache License, Version 2.0 (the 'License');", - "you may not use this file except in compliance with the License. You may obtain a copy", - "of the License at http://www.apache.org/licenses/LICENSE-2.0" - ], - "title": "Hybrid Cloud Patterns - values-secret.yaml files schema V1", - "description": "This schema defines the values-secret.yaml file as used by [Validated Patterns](https://hybrid-cloud-patterns.io)", - "type": "object", - "examples": [], - "definitions": { - "valuesSecretsV1": { - "title": "Values Secrets V1 Format", - "type": "object", - "additionalProperties": true, - "properties": { - "version": { - "type": [ "string", "null" ], - "description": "Version of the secret specification", - "default": "1.0" - } - }, - "patternProperties": { - "secrets[a-z0-9.]*$": { - "type": "object", - "additionalProperties": true - }, - "files[a-z0-9.]*$": { - "type": "object", - "additionalProperties": true - } - } - } - } -} diff --git a/common/ansible/roles/vault_utils/values-secrets.v2.schema.json b/common/ansible/roles/vault_utils/values-secrets.v2.schema.json deleted file mode 100644 index c8b5c020..00000000 --- a/common/ansible/roles/vault_utils/values-secrets.v2.schema.json +++ /dev/null @@ -1,335 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "$ref": "#/definitions/valuesSecretsV2", - "meta:license": [ - "Copyright 2022 Red Hat, Inc. All rights reserved.", - "This file is licensed to you under the Apache License, Version 2.0 (the 'License');", - "you may not use this file except in compliance with the License. You may obtain a copy", - "of the License at http://www.apache.org/licenses/LICENSE-2.0" - ], - "title": "Hybrid Cloud Patterns - values-secret.yaml files schema V2", - "description": "This schema defines the values-secret.yaml file as used by [Validated Patterns](https://hybrid-cloud-patterns.io)", - "type": "object", - "examples": [ - { - "version": "2.0", - "backingStore": "vault", - "vaultPolicies": { - "basicPolicy": "length=10\nrule \"charset\" { charset = \"abcdefghijklmnopqrstuvwxyz\" min-chars = 1 }\nrule \"charset\" { charset = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\" min-chars = 1 }\nrule \"charset\" { charset = \"0123456789\" min-chars = 1 }\n", - "advancedPolicy": "length=20\nrule \"charset\" { charset = \"abcdefghijklmnopqrstuvwxyz\" min-chars = 1 }\nrule \"charset\" { charset = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\" min-chars = 1 }\nrule \"charset\" { charset = \"0123456789\" min-chars = 1 }\nrule \"charset\" { charset = \"!@#$%^&*\" min-chars = 1 }\n" - }, - "secrets": [ - { - "name": "config-demo", - "vaultMount": "secret", - "vaultPrefixes": [ - "region-one", - "snowflake.blueprints.rhecoeng.com" - ], - "fields": [ - { - "name": "secret", - "onMissingValue": "generate", - "override": true, - "vaultPolicy": "basicPolicy" - }, - { - "name": "secretprompt", - "value": null, - "onMissingValue": "prompt", - "prompt": "Please specify the password for application ABC" - }, - { - "name": "secretprompt2", - "value": "defaultvalue", - "onMissingValue": "prompt", - "prompt": "Please specify the API key for XYZ" - }, - { - "name": "secretfile", - "path": "/tmp/ca.crt", - "onMissingValue": "prompt", - "prompt": "Insert path to Certificate Authority" - }, - { - "name": "ca_crt", - "path": "/tmp/ca.crt", - "onMissingValue": "error" - }, - { - "name": "ca_crt_b64", - "path": "/tmp/ca.crt", - "base64": true, - "onMissingValue": "prompt" - } - ] - }, - { - "name": "config-demo2", - "vaultPrefixes": [ - "region-one", - "snowflake.blueprints.rhecoeng.com" - ], - "fields": [ - { - "name": "ca_crt2", - "path": null, - "onMissingValue": "prompt" - }, - { - "name": "ca_crt", - "path": "/tmp/ca.crt", - "onMissingValue": "error" - } - ] - } - ] - } - ], - "definitions": { - "valuesSecretsV2": { - "type": "object", - "additionalProperties": false, - "properties": { - "version": { - "type": [ "string", "null" ], - "description": "Version of the secret specification", - "default": "1.0" - }, - "backingStore": { - "type": "string", - "description": "Secrets backing store type", - "default": "vault" - }, - "vaultPolicies": { - "$ref": "#/definitions/VaultPolicies", - "description": "A dictionary of {name}:{policy} of custom vault password policies" - }, - "secretStoreNamespace": { - "type": "string", - "description": "Namespace to store secrets in for kubernetes loader", - "default": "validated-patterns-secrets" - }, - "defaultLabels": { - "type": "object", - "description": "Default labels to add to secret objects for kubernetes loader" - }, - "defaultAnnotations": { - "type": "object", - "description": "Default labels to add to secret objects for kubernetes loader" - }, - "secrets": { - "$ref": "#/definitions/Secrets", - "description": "The list of actual secrets to be uploaded in the vault" - } - }, - "required": [ - "secrets" - ], - "title": "Values Secrets V2 Format" - }, - "VaultPolicies": { - "type": "object", - "description": "A dictionary of {name}:{policy} of custom vault password policies", - "items": { - "$ref": "#/definitions/VaultPolicy" - }, - "examples": [ - { - "vaultPolicies": { - "basicPolicy": "length=10\nrule \"charset\" { charset = \"abcdefghijklmnopqrstuvwxyz\" min-chars = 1 }\nrule \"charset\" { charset = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\" min-chars = 1 }\nrule \"charset\" { charset = \"0123456789\" min-chars = 1 }\n", - "advancedPolicy": "length=20\nrule \"charset\" { charset = \"abcdefghijklmnopqrstuvwxyz\" min-chars = 1 }\nrule \"charset\" { charset = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\" min-chars = 1 }\nrule \"charset\" { charset = \"0123456789\" min-chars = 1 }\nrule \"charset\" { charset = \"!@#$%^&*\" min-chars = 1 }\n" - } - } - ] - }, - "VaultPolicy": { - "type": "string", - "description": "A password policy to be created in the vault. See https://developer.hashicorp.com/vault/docs/concepts/password-policies" - }, - "Secrets": { - "type": "array", - "description": "The list of secrets to be injected into the vault", - "items": { - "$ref": "#/definitions/Secret" - } - }, - "Secret": { - "type": "object", - "description": "The single secret to be injected into the vault", - "additionalProperties": false, - "required": [ "name", "fields" ], - "properties": { - "name": { - "type": "string", - "description": "This is the name of the top level key that will be created at the vaultMount point and that will contain one secret per field inside its attributes" - }, - "vaultMount": { - "type": "string", - "description": "This is the vault -mount=<...> mount point used in vault commands", - "default": "secret" - }, - "vaultPrefixes": { - "type": "array", - "description": "This is the list of prefixes the secret will be uploaded to. It defaults to ['hub'] when not specified", - "items": { - "type": "string", - "minItems": 1, - "uniqueItems": true - }, - "default": [ "hub" ] - }, - "targetNamespaces": { - "type": "array", - "description": "The namespace(s) that the secret will be injected into, ignored by configs using ESO", - "items": { - "type": "string", - "minItems": 1, - "uniqueItems": true - } - }, - "annotations": { - "type": "object", - "description": "Annotations to add to the kubernetes secret object, which override defaults" - }, - "labels": { - "type": "object", - "description": "Labels to add to the kubernetes secret object, which override defaults" - }, - "fields": { - "type": "array", - "description": "This is the list of actual secret material that will be placed in a vault key's attributes", - "items": { - "type": "object", - "$ref": "#/definitions/Field", - "minItems": 1, - "uniqueItems": true - } - } - } - }, - "Field": { - "type": "object", - "additionalProperties": false, - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string", - "description": "This is the name of the attribute inside vault" - }, - "onMissingValue": { - "type": "string", - "default": "error", - "description": "'error' will generate an error if the secret (via value or via path attributes) are not defined. 'generate' will create a secret using a defined vaultPolicy. 'prompt' will ask the user for input and it requires to set a value or a path depending if the user should input a secret or a path to a secret file. Non-null entries represent the default value when prompted.", - "enum": [ - "error", - "generate", - "prompt" - ] - }, - "prompt": { - "type": "string", - "description": "Represents the prompt used when onMissingValue is set to prompt" - }, - "value": { - "type": [ - "string", - "null" - ], - "description": "Is the value of a secret. Represents the default value when onMissingValue is set to prompt" - }, - "path": { - "type": [ - "string", - "null" - ], - "description": "Is the path to a secret file. Represents the default path when onMissingValue is set to prompt" - }, - "ini_file": { - "type": [ - "string", - "null" - ], - "description": "Is the path to an ini_file containing secret material" - }, - "ini_section": { - "type": [ - "string", - "null" - ], - "description": "Is the section in an ini file where a user-defined key will be looked up", - "default": "default" - }, - "ini_key": { - "type": [ - "string", - "null" - ], - "description": "Is the key inside a section in an inifile whose value will be used" - }, - "vaultPolicy": { - "type": "string", - "description": "When onMissingValue is set to 'generate', uses this policy to create the secret inside the vault directly" - }, - "base64": { - "type": "boolean", - "description": "Before uploading the secret the content is base-64 encoded. It is recommended to set this to true when dealing with files", - "default": "false" - }, - "override": { - "type": "boolean", - "description": "When onMissingValue is set to 'generate' and the secret already exists in the vault update it", - "default": "false" - } - }, - "dependentRequired": { - "ini_file": ["ini_key"] - }, - "allOf": [ - { - "if": { - "properties": { "onMissingValue": { "enum": ["prompt"] } } - }, - "then": { - "oneOf": [ - { - "required": [ "path" ] - }, - { - "required": [ "value" ] - } - ] - } - }, - { - "if": { - "properties": { "onMissingValue": { "enum": ["generate"] } } - }, - "then": { - "required": [ "vaultPolicy" ] - } - }, - { - "if": { - "properties": { "onMissingValue": { "enum": ["error"] } } - }, - "then": { - "oneOf": [ - { - "required": [ "path" ] - }, - { - "required": [ "ini_file" ] - }, - { - "required": [ "value" ] - } - ] - } - } - ] - } - } -} diff --git a/common/ansible/roles/vault_utils/vars/main.yml b/common/ansible/roles/vault_utils/vars/main.yml deleted file mode 100644 index f6e02b93..00000000 --- a/common/ansible/roles/vault_utils/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for vault_utils diff --git a/common/ansible/tests/unit/test_ini_file.py b/common/ansible/tests/unit/test_ini_file.py deleted file mode 100644 index 6c30fdbb..00000000 --- a/common/ansible/tests/unit/test_ini_file.py +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2022 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Simple module to test ini parsing function -""" - -import os -import sys -import unittest - -# TODO(bandini): I could not come up with something better to force the imports to be existing -# when we 'import vault_load_secrets' -sys.path.insert(1, "./ansible/plugins/module_utils") -sys.path.insert(1, "./ansible/plugins/modules") -import load_secrets_common # noqa: E402 - - -class TestMyModule(unittest.TestCase): - - def setUp(self): - self.testdir_v2 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v2") - - def test_ensure_ini_file_parsed_correctly(self): - f = os.path.join(self.testdir_v2, "aws-example.ini") - key_id = load_secrets_common.get_ini_value(f, "default", "aws_access_key_id") - access_key = load_secrets_common.get_ini_value( - f, "default", "aws_secret_access_key" - ) - self.assertEqual(key_id, "A123456789012345678A") - self.assertEqual(access_key, "A12345678901234567890123456789012345678A") - - def test_ensure_ini_file_missing_value_is_none(self): - f = os.path.join(self.testdir_v2, "aws-example.ini") - missing_id = load_secrets_common.get_ini_value(f, "default", "nonexisting") - self.assertEqual(missing_id, None) - - def test_ensure_ini_file_missing_section_is_none(self): - f = os.path.join(self.testdir_v2, "aws-example.ini") - missing_id = load_secrets_common.get_ini_value(f, "nonexisting", "nonexisting") - self.assertEqual(missing_id, None) - - -if __name__ == "__main__": - unittest.main() diff --git a/common/ansible/tests/unit/test_parse_secrets.py b/common/ansible/tests/unit/test_parse_secrets.py deleted file mode 100644 index 2dab5716..00000000 --- a/common/ansible/tests/unit/test_parse_secrets.py +++ /dev/null @@ -1,983 +0,0 @@ -# Copyright 2022, 2023 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Simple module to test parse_secret_info -""" - -import base64 -import configparser -import json -import os -import sys -import unittest -from unittest import mock -from unittest.mock import patch - -from ansible.module_utils import basic -from ansible.module_utils.common.text.converters import to_bytes -from test_util_datastructures import ( - DEFAULT_KUBERNETES_METADATA, - DEFAULT_KUBERNETES_SECRET_OBJECT, - DEFAULT_PARSED_SECRET_VALUE, - DEFAULT_VAULT_POLICIES, -) - -# from unittest.mock import call, patch - -# TODO(bandini): I could not come up with something better to force the imports to be existing -# when we "import parse_secrets_info" -sys.path.insert(1, "./ansible/plugins/module_utils") -sys.path.insert(1, "./ansible/plugins/modules") - -import load_secrets_common # noqa: E402 - -sys.modules["ansible.module_utils.load_secrets_common"] = load_secrets_common - -import parse_secrets_v2 # noqa: E402 - -sys.modules["ansible.module_utils.parse_secrets_v2"] = parse_secrets_v2 - -import parse_secrets_info # noqa: E402 - -sys.modules["ansible.modules.parse_secrets_info"] = parse_secrets_info - - -def set_module_args(args): - """prepare arguments so that they will be picked up during module creation""" - args = json.dumps({"ANSIBLE_MODULE_ARGS": args}) - basic._ANSIBLE_ARGS = to_bytes(args) - - -class BytesEncoder(json.JSONEncoder): - - def default(self, o): - if isinstance(o, bytes): - return base64.b64encode(o).decode("ascii") - else: - return super().default(o) - - -def json_str(a): - return json.dumps(a, sort_keys=True, cls=BytesEncoder) - - -def ds_eq(a, b): - """ - This function takes two arbitrary data structures, sorts their keys, stringifies them into JSON - and compares them. The idea here is to test data structure difference without having to write - an involved recursive data structure parser. If the function returns true, the two data - structures are equal. - """ - print("a=" + json_str(a)) - print("b=" + json_str(b)) - return json_str(a) == json_str(b) - - -class AnsibleExitJson(Exception): - """Exception class to be raised by module.exit_json and caught by the test case""" - - pass - - -class AnsibleFailJson(Exception): - """Exception class to be raised by module.fail_json and caught by the test case""" - - pass - - -def exit_json(*args, **kwargs): - """function to patch over exit_json; package return data into an exception""" - if "changed" not in kwargs: - kwargs["changed"] = False - raise AnsibleExitJson(kwargs) - - -def fail_json(*args, **kwargs): - """function to patch over fail_json; package return data into an exception""" - kwargs["failed"] = True - kwargs["args"] = args - raise AnsibleFailJson(kwargs) - - -@mock.patch("getpass.getpass") -class TestMyModule(unittest.TestCase): - - def create_inifile(self): - self.inifile = open("/tmp/awscredentials", "w") - config = configparser.ConfigParser() - config["default"] = { - "aws_access_key_id": "123123", - "aws_secret_access_key": "abcdefghi", - } - config["foobar"] = { - "aws_access_key_id": "345345", - "aws_secret_access_key": "rstuvwxyz", - } - with self.inifile as configfile: - config.write(configfile) - - def create_testbinfile(self): - with open(self.binfilename, "wb") as f: - f.write(bytes([8, 6, 7, 5, 3, 0, 9])) - f.close() - - def setUp(self): - self.binfilename = "/tmp/testbinfile.bin" - self.mock_module_helper = patch.multiple( - basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json - ) - self.mock_module_helper.start() - self.addCleanup(self.mock_module_helper.stop) - self.testdir_v2 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v2") - self.testfile = open("/tmp/ca.crt", "w") - self.create_inifile() - self.create_testbinfile() - # For ~/expanduser tests - self.orig_home = os.environ["HOME"] - os.environ["HOME"] = self.testdir_v2 - - def tearDown(self): - os.environ["HOME"] = self.orig_home - self.testfile.close() - try: - os.remove("/tmp/ca.crt") - os.remove(self.binfilename) - # os.remove("/tmp/awscredentials") - except OSError: - pass - - def get_file_as_stdout(self, filename, openmode="r"): - with open(filename, mode=openmode, encoding="utf-8") as f: - return f.read() - - def test_module_fail_when_required_args_missing(self, getpass): - with self.assertRaises(AnsibleFailJson): - set_module_args({}) - parse_secrets_info.main() - - def test_module_parse_base(self, getpass): - getpass.return_value = "/tmp/ca.crt" - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-base.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - } - ) - parse_secrets_info.main() - - ret = result.exception.args[0] - self.assertTrue( - (ret["failed"] is False) - and (ret["changed"] is False) - and (len(ret["parsed_secrets"])) == 1 - and (len(ret["kubernetes_secret_objects"]) == 0) - ) - - def test_module_parse_base_parsed_secrets(self, getpass): - getpass.return_value = "/tmp/ca.crt" - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-base.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - } - ) - parse_secrets_info.main() - - vp = DEFAULT_VAULT_POLICIES | { - "basicPolicy": 'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n', # noqa: E501 - "advancedPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n', # noqa: E501 - } - - # Beware reading this structure aloud to your cat... - pspsps = { - "config-demo": DEFAULT_PARSED_SECRET_VALUE - | { - "name": "config-demo", - "fields": { - "secret": None, - "secret2": "/tmp/ca.crt", - "ca_crt": "", - "ca_crt2": "", - }, - "base64": ["ca_crt2"], - "generate": ["secret"], - "override": ["secret"], - "vault_policies": { - "secret": "basicPolicy", - }, - "vault_prefixes": [ - "region-one", - "snowflake.blueprints.rhecoeng.com", - ], - "paths": { - "ca_crt": "/tmp/ca.crt", - "ca_crt2": "/tmp/ca.crt", - }, - }, - } - - ret = result.exception.args[0] - self.assertTrue( - (ret["failed"] is False) - and (ret["changed"] is False) - and (ds_eq(vp, ret["vault_policies"])) - and (ds_eq(pspsps, ret["parsed_secrets"])) - ) - - def test_module_parsed_secret_ini_files(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-ini-file.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - } - ) - parse_secrets_info.main() - - ps = { - "aws": DEFAULT_PARSED_SECRET_VALUE - | { - "name": "aws", - "fields": { - "aws_access_key_id": "123123", - "aws_secret_access_key": "abcdefghi", - }, - "ini_file": { - "aws_access_key_id": { - "ini_file": "/tmp/awscredentials", - "ini_section": "default", - "ini_key": "aws_access_key_id", - }, - "aws_secret_access_key": { - "ini_file": "/tmp/awscredentials", - "ini_section": "default", - "ini_key": "aws_secret_access_key", - }, - }, - }, - "awsfoobar": DEFAULT_PARSED_SECRET_VALUE - | { - "name": "awsfoobar", - "fields": { - "aws_access_key_id": "345345", - "aws_secret_access_key": "rstuvwxyz", - }, - "ini_file": { - "aws_access_key_id": { - "ini_file": "/tmp/awscredentials", - "ini_section": "foobar", - "ini_key": "aws_access_key_id", - }, - "aws_secret_access_key": { - "ini_file": "/tmp/awscredentials", - "ini_section": "foobar", - "ini_key": "aws_secret_access_key", - }, - }, - }, - } - - ret = result.exception.args[0] - self.assertTrue( - (ret["failed"] is False) - and (ret["changed"] is False) - and (len(ret["parsed_secrets"]) == 2) - and (ds_eq(ps, ret["parsed_secrets"])) - ) - - def test_module_parsed_secret_ini_files_base64(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-ini-file-b64.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - } - ) - parse_secrets_info.main() - - ps = { - "aws": DEFAULT_PARSED_SECRET_VALUE - | { - "name": "aws", - "fields": { - "aws_access_key_id": "A123456789012345678A", - "aws_secret_access_key": "A12345678901234567890123456789012345678A", - }, - "ini_file": { - "aws_access_key_id": { - "ini_file": f"{os.environ['HOME']}/aws-example.ini", - "ini_section": "default", - "ini_key": "aws_access_key_id", - }, - "aws_secret_access_key": { - "ini_file": f"{os.environ['HOME']}/aws-example.ini", - "ini_section": "default", - "ini_key": "aws_secret_access_key", - }, - }, - }, - "awsb64": DEFAULT_PARSED_SECRET_VALUE - | { - "name": "awsb64", - "fields": { - "aws_access_key_id": "QTEyMzQ1Njc4OTAxMjM0NTY3OEE=", - "aws_secret_access_key": "QTEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4QQ==", - }, - "base64": [ - "aws_access_key_id", - "aws_secret_access_key", - ], - "ini_file": { - "aws_access_key_id": { - "ini_file": f"{os.environ['HOME']}/aws-example.ini", - "ini_section": "default", - "ini_key": "aws_access_key_id", - }, - "aws_secret_access_key": { - "ini_file": f"{os.environ['HOME']}/aws-example.ini", - "ini_section": "default", - "ini_key": "aws_secret_access_key", - }, - }, - }, - } - - ret = result.exception.args[0] - self.assertTrue( - (ret["failed"] is False) - and (ret["changed"] is False) - and (len(ret["parsed_secrets"]) == 2) - and (len(ret["kubernetes_secret_objects"]) == 0) - and (ds_eq(ps, ret["parsed_secrets"])) - ) - - def test_module_parsed_secret_ini_files_base64_kubernetes(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-ini-file-b64.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "kubernetes", - } - ) - parse_secrets_info.main() - - ps = { - "aws": DEFAULT_PARSED_SECRET_VALUE - | { - "name": "aws", - "fields": { - "aws_access_key_id": "A123456789012345678A", - "aws_secret_access_key": "A12345678901234567890123456789012345678A", - }, - "ini_file": { - "aws_access_key_id": { - "ini_file": f"{os.environ['HOME']}/aws-example.ini", - "ini_section": "default", - "ini_key": "aws_access_key_id", - }, - "aws_secret_access_key": { - "ini_file": f"{os.environ['HOME']}/aws-example.ini", - "ini_section": "default", - "ini_key": "aws_secret_access_key", - }, - }, - }, - "awsb64": DEFAULT_PARSED_SECRET_VALUE - | { - "name": "awsb64", - "fields": { - "aws_access_key_id": "QTEyMzQ1Njc4OTAxMjM0NTY3OEE=", - "aws_secret_access_key": "QTEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4QQ==", - }, - "base64": [ - "aws_access_key_id", - "aws_secret_access_key", - ], - "ini_file": { - "aws_access_key_id": { - "ini_file": f"{os.environ['HOME']}/aws-example.ini", - "ini_section": "default", - "ini_key": "aws_access_key_id", - }, - "aws_secret_access_key": { - "ini_file": f"{os.environ['HOME']}/aws-example.ini", - "ini_section": "default", - "ini_key": "aws_secret_access_key", - }, - }, - }, - } - - ret = result.exception.args[0] - self.assertTrue( - (ret["failed"] is False) - and (ret["changed"] is False) - and (len(ret["parsed_secrets"]) == 2) - and (len(ret["kubernetes_secret_objects"]) == 2) - and (ds_eq(ps, ret["parsed_secrets"])) - ) - - def test_module_default_labels(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-default-labels.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "kubernetes", - } - ) - parse_secrets_info.main() - - ret = result.exception.args[0] - self.assertTrue( - ds_eq( - ret["kubernetes_secret_objects"][0], - DEFAULT_KUBERNETES_SECRET_OBJECT - | { - "metadata": DEFAULT_KUBERNETES_METADATA - | { - "name": "test-secret", - "labels": {"testlabel": "4"}, - "namespace": "validated-patterns-secrets", - }, - "stringData": {"username": "user"}, - }, - ) - ) - - def test_module_override_labels(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-override-labels.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "kubernetes", - } - ) - parse_secrets_info.main() - ret = result.exception.args[0] - self.assertTrue( - ds_eq( - ret["kubernetes_secret_objects"][0], - DEFAULT_KUBERNETES_SECRET_OBJECT - | { - "metadata": DEFAULT_KUBERNETES_METADATA - | { - "name": "test-secret", - "labels": {"overridelabel": "42"}, - }, - "stringData": {"username": "user"}, - }, - ) - ) - - def test_module_override_namespace(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-override-namespace.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "kubernetes", - } - ) - parse_secrets_info.main() - ret = result.exception.args[0] - self.assertTrue( - len(ret["kubernetes_secret_objects"]) == 1 - and ds_eq( - ret["kubernetes_secret_objects"][0], - DEFAULT_KUBERNETES_SECRET_OBJECT - | { - "metadata": DEFAULT_KUBERNETES_METADATA - | { - "name": "test-secret", - "namespace": "overridden-namespace", - }, - "stringData": {"username": "user"}, - }, - ) - ) - - def test_module_none_extra_namespaces(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-more-namespaces.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "none", - } - ) - parse_secrets_info.main() - ret = result.exception.args[0] - self.assertTrue( - len(ret["kubernetes_secret_objects"]) == 2 - and ds_eq( - ret["kubernetes_secret_objects"][0], - DEFAULT_KUBERNETES_SECRET_OBJECT - | { - "metadata": DEFAULT_KUBERNETES_METADATA - | { - "name": "test-secret", - "namespace": "default", - }, - "stringData": {"username": "user"}, - }, - ) - and ds_eq( - ret["kubernetes_secret_objects"][1], - DEFAULT_KUBERNETES_SECRET_OBJECT - | { - "metadata": DEFAULT_KUBERNETES_METADATA - | { - "name": "test-secret", - "namespace": "extra", - }, - "stringData": {"username": "user"}, - }, - ) - ) - - def test_module_override_type_kubernetes(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-override-type.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "kubernetes", - } - ) - parse_secrets_info.main() - ret = result.exception.args[0] - self.assertTrue( - len(ret["kubernetes_secret_objects"]) == 1 - and ds_eq( - ret["kubernetes_secret_objects"][0], - DEFAULT_KUBERNETES_SECRET_OBJECT - | { - "type": "user-specified", - "metadata": DEFAULT_KUBERNETES_METADATA - | { - "name": "test-secret", - }, - "stringData": {"username": "user"}, - }, - ) - ) - - def test_module_override_type_none(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-override-type-none.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "none", - } - ) - parse_secrets_info.main() - ret = result.exception.args[0] - self.assertTrue( - len(ret["kubernetes_secret_objects"]) == 1 - and ds_eq( - ret["kubernetes_secret_objects"][0], - DEFAULT_KUBERNETES_SECRET_OBJECT - | { - "type": "user-specified", - "metadata": DEFAULT_KUBERNETES_METADATA - | {"name": "test-secret", "namespace": "default"}, - "stringData": {"username": "user"}, - }, - ) - ) - - def test_module_secret_file_contents(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-file-contents.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "kubernetes", - } - ) - parse_secrets_info.main() - ret = result.exception.args[0] - self.assertTrue( - len(ret["kubernetes_secret_objects"]) == 1 - and ds_eq( - ret["kubernetes_secret_objects"][0], - DEFAULT_KUBERNETES_SECRET_OBJECT - | { - "metadata": DEFAULT_KUBERNETES_METADATA - | { - "name": "test-secret", - }, - "stringData": {"username": "This space intentionally left blank\n"}, - }, - ) - ) - - def test_module_secret_file_contents_b64(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-file-contents-b64.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "kubernetes", - } - ) - parse_secrets_info.main() - ret = result.exception.args[0] - self.assertTrue( - len(ret["kubernetes_secret_objects"]) == 1 - and ds_eq( - ret["kubernetes_secret_objects"][0], - DEFAULT_KUBERNETES_SECRET_OBJECT - | { - "metadata": DEFAULT_KUBERNETES_METADATA - | { - "name": "test-secret", - }, - "stringData": { - "username": "VGhpcyBzcGFjZSBpbnRlbnRpb25hbGx5IGxlZnQgYmxhbmsK" - }, - }, - ) - ) - - def test_module_secret_file_contents_double_b64(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join( - self.testdir_v2, "values-secret-v2-file-contents-double-b64.yaml" - ) - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "kubernetes", - } - ) - parse_secrets_info.main() - ret = result.exception.args[0] - self.assertTrue( - len(ret["kubernetes_secret_objects"]) == 1 - and ds_eq( - ret["kubernetes_secret_objects"][0], - DEFAULT_KUBERNETES_SECRET_OBJECT - | { - "metadata": DEFAULT_KUBERNETES_METADATA - | { - "name": "test-secret", - }, - "stringData": { - "username": "VkdocGN5QnpjR0ZqWlNCcGJuUmxiblJwYjI1aGJHeDVJR3hsWm5RZ1lteGhibXNL" - }, - }, - ) - ) - - def test_module_secret_file_contents_binary_b64(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-secret-binary-b64.yaml") - ) - with self.assertRaises(AnsibleExitJson) as result: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "kubernetes", - } - ) - parse_secrets_info.main() - ret = result.exception.args[0] - - # The binary bytes are [ 8, 6, 7, 5, 3, 0, 9 ] (IYKYK) - self.assertTrue( - len(ret["kubernetes_secret_objects"]) == 1 - and ds_eq( - ret["kubernetes_secret_objects"][0], - DEFAULT_KUBERNETES_SECRET_OBJECT - | { - "metadata": DEFAULT_KUBERNETES_METADATA - | { - "name": "secret", - }, - "stringData": {"secret": "CAYHBQMACQ=="}, - }, - ) - ) - - def test_ensure_success_retrieving_block_yaml_policy(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-defaultvp-policy.yaml") - ) - with self.assertRaises(AnsibleExitJson) as ansible_err: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "vault", - } - ) - parse_secrets_info.main() - - ret = ansible_err.exception.args[0] - self.assertTrue( - ds_eq( - ret["vault_policies"], - { - "basicPolicy": 'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n', # noqa: E501 - "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n', # noqa: E501 - }, - ) - ) - - def test_ensure_success_retrieving_block_yaml_value(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-block-yamlstring.yaml") - ) - with self.assertRaises(AnsibleExitJson) as ansible_err: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "vault", - } - ) - parse_secrets_info.main() - - ret = ansible_err.exception.args[0] - self.assertTrue( - ds_eq( - ret["parsed_secrets"], - { - "config-demo": DEFAULT_PARSED_SECRET_VALUE - | { - "fields": { - "sshprivkey": "ssh-rsa oNb/kAvwdQl+FKdwzzKo5rnGIB68UOxWoaKPnKdgF/ts67CDBslWGnpUZCpp8TdaxfHmpoyA6nutMwQw8OAMEUybxvilDn+ZVJ/5qgfRBdi8wLKRLTIj0v+ZW7erN9yuZG53xUQAaQjivM3cRyNLIZ9torShYaYwD1UTTDkV97RMfNDlWI5f5FGRvfy429ZfCwbUWUbijrcv/mWc/uO3x/+MBXwa4f8ubzEYlrt4yH/Vbpzs67kE9UJ9z1zurFUFJydy1ZDAdKSiBS91ImI3ccKnbz0lji2bgSYR0Wp1IQhzSpjyJU2rIu9HAEUh85Rwf2jakfLpMcg/hSBer3sG kilroy@example.com", # noqa: E501 - "sshpubkey": "-----BEGIN OPENSSH PRIVATE KEY-----\nTtzxGgWrNerAr1hzUqPW2xphF/Aur1rQXSLv4J7frEJxNED6u/eScsNgwJMGXwRx7QYVohh0ARHVhJdUzJK7pEIphi4BGw==\nwlo+oQsi828b47SKZB8/K9dbeLlLiXh9/hu47MGpeGHZsKbjAdauncuw+YUDDN2EADJjasNMZHjxYhXKtqDjXTIw1X1n0Q==\n-----END OPENSSH PRIVATE KEY-----", # noqa: E501 - }, - "name": "config-demo", - } - }, - ) - ) - - def test_ensure_kubernetes_object_block_yaml_value(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-block-yamlstring.yaml") - ) - with self.assertRaises(AnsibleExitJson) as ansible_err: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "kubernetes", - } - ) - parse_secrets_info.main() - - ret = ansible_err.exception.args[0] - self.assertTrue( - ds_eq( - ret["kubernetes_secret_objects"][0], - DEFAULT_KUBERNETES_SECRET_OBJECT - | { - "metadata": DEFAULT_KUBERNETES_METADATA - | { - "name": "config-demo", - }, - "stringData": { - "sshprivkey": "ssh-rsa oNb/kAvwdQl+FKdwzzKo5rnGIB68UOxWoaKPnKdgF/ts67CDBslWGnpUZCpp8TdaxfHmpoyA6nutMwQw8OAMEUybxvilDn+ZVJ/5qgfRBdi8wLKRLTIj0v+ZW7erN9yuZG53xUQAaQjivM3cRyNLIZ9torShYaYwD1UTTDkV97RMfNDlWI5f5FGRvfy429ZfCwbUWUbijrcv/mWc/uO3x/+MBXwa4f8ubzEYlrt4yH/Vbpzs67kE9UJ9z1zurFUFJydy1ZDAdKSiBS91ImI3ccKnbz0lji2bgSYR0Wp1IQhzSpjyJU2rIu9HAEUh85Rwf2jakfLpMcg/hSBer3sG kilroy@example.com", # noqa: E501 - "sshpubkey": "-----BEGIN OPENSSH PRIVATE KEY-----\nTtzxGgWrNerAr1hzUqPW2xphF/Aur1rQXSLv4J7frEJxNED6u/eScsNgwJMGXwRx7QYVohh0ARHVhJdUzJK7pEIphi4BGw==\nwlo+oQsi828b47SKZB8/K9dbeLlLiXh9/hu47MGpeGHZsKbjAdauncuw+YUDDN2EADJjasNMZHjxYhXKtqDjXTIw1X1n0Q==\n-----END OPENSSH PRIVATE KEY-----", # noqa: E501 - }, - }, - ) - ) - - def test_ensure_kubernetes_backend_allowed(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-base-k8s-backend.yaml") - ) - with self.assertRaises(AnsibleExitJson) as ansible_err: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "kubernetes", - } - ) - parse_secrets_info.main() - - ret = ansible_err.exception.args[0] - self.assertFalse(ret["failed"]) - - def test_ensure_none_backend_allowed(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-base-none-backend.yaml") - ) - with self.assertRaises(AnsibleExitJson) as ansible_err: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "none", - } - ) - parse_secrets_info.main() - - ret = ansible_err.exception.args[0] - self.assertFalse(ret["failed"]) - - def test_ensure_error_conflicting_backends(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-base-k8s-backend.yaml") - ) - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "vault", - } - ) - parse_secrets_info.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ( - ret["args"][1] - == "Secrets file specifies 'kubernetes' backend but pattern config specifies 'vault'." - ) - - def test_ensure_error_unknown_backends(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-base-unknown-backend.yaml") - ) - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "unknown", - } - ) - parse_secrets_info.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ( - ret["args"][1] - == "Currently only the 'vault', 'kubernetes' and 'none' backingStores are supported: unknown" - ) - - def test_ensure_error_secrets_same_name(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-same-secret-names.yaml") - ) - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - } - ) - parse_secrets_info.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ( - ret["args"][1] == "You cannot have duplicate secret names: ['config-demo']" - ) - - def test_ensure_error_fields_same_name(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-same-field-names.yaml") - ) - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - } - ) - parse_secrets_info.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ret["args"][1] == "You cannot have duplicate field names: ['secret']" - - def test_ensure_generate_errors_on_kubernetes(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-generic-onlygenerate.yaml") - ) - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "kubernetes", - } - ) - parse_secrets_info.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ( - ret["args"][1] - == "You cannot have onMissingValue set to 'generate' unless using vault backingstore for secret config-demo field secret" # noqa: E501 - ) - - def test_ensure_generate_errors_on_none_generate(self, getpass): - testfile_output = self.get_file_as_stdout( - os.path.join(self.testdir_v2, "values-secret-v2-generic-onlygenerate.yaml") - ) - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets_plaintext": testfile_output, - "secrets_backing_store": "none", - } - ) - parse_secrets_info.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ( - ret["args"][1] - == "You cannot have onMissingValue set to 'generate' unless using vault backingstore for secret config-demo field secret" # noqa: E501 - ) - - -if __name__ == "__main__": - unittest.main() diff --git a/common/ansible/tests/unit/test_util_datastructures.py b/common/ansible/tests/unit/test_util_datastructures.py deleted file mode 100644 index 11d7cdae..00000000 --- a/common/ansible/tests/unit/test_util_datastructures.py +++ /dev/null @@ -1,205 +0,0 @@ -DEFAULT_PARSED_SECRET_VALUE = { - "name": "overwrite-me", - "fields": {}, - "base64": [], - "ini_file": {}, - "generate": [], - "override": [], - "vault_mount": "secret", - "vault_policies": {}, - "vault_prefixes": ["hub"], - "type": "Opaque", - "target_namespaces": [], - "labels": {}, - "annotations": {}, - "paths": {}, -} - -DEFAULT_KUBERNETES_METADATA = { - "name": "overwrite-me", - "labels": {}, - "annotations": {}, - "namespace": "validated-patterns-secrets", -} -DEFAULT_KUBERNETES_SECRET_OBJECT = { - "kind": "Secret", - "type": "Opaque", - "apiVersion": "v1", - "metadata": DEFAULT_KUBERNETES_METADATA, - "stringData": {}, -} - -DEFAULT_VAULT_POLICIES = { - "validatedPatternDefaultPolicy": ( - "length=20\n" - 'rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\n' # noqa: E501 - 'rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\n' # noqa: E501 - 'rule "charset" { charset = "0123456789" min-chars = 1 }\n' - 'rule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' - ), -} - -GENERATE_POLICY_B64_TEST = { - "vault_policies": { - "basicPolicy": 'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n', # noqa: E501 - "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n', # noqa: E501 - }, - "parsed_secrets": { - "config-demo": { - "annotations": {}, - "base64": ["secret"], - "fields": {"secret": None}, - "generate": ["secret"], - "ini_file": {}, - "labels": {}, - "name": "config-demo", - "namespace": "validated-patterns-secrets", - "override": ["secret"], - "paths": {}, - "type": "Opaque", - "vault_mount": "secret", - "vault_policies": {"secret": "basicPolicy"}, - "vault_prefixes": ["region-one", "snowflake.blueprints.rhecoeng.com"], - } - }, -} - -PARSED_SECRET_VALUE_TEST = { - "parsed_secrets": { - "config-demo": { - "annotations": {}, - "base64": [], - "fields": {"secret": "value123"}, - "generate": [], - "ini_file": {}, - "labels": {}, - "name": "config-demo", - "namespace": "validated-patterns-secrets", - "override": [], - "paths": {}, - "type": "Opaque", - "vault_mount": "secret", - "vault_policies": {}, - "vault_prefixes": ["hub"], - } - }, - "vault_policies": { - "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' # noqa: E501 - }, -} - -PARSED_SECRET_B64_VALUE_TEST = { - "parsed_secrets": { - "config-demo": { - "annotations": {}, - "base64": ["secret"], - "fields": {"secret": "dmFsdWUxMjMK"}, - "generate": [], - "ini_file": {}, - "labels": {}, - "name": "config-demo", - "namespace": "validated-patterns-secrets", - "override": [], - "paths": {}, - "type": "Opaque", - "vault_mount": "secret", - "vault_policies": {}, - "vault_prefixes": ["hub"], - } - }, - "vault_policies": { - "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' # noqa: E501 - }, -} - -PARSED_SECRET_FILE_INJECTION_TEST = { - "parsed_secrets": { - "config-demo": { - "annotations": {}, - "base64": [], - "fields": {"secret": "value123"}, - "generate": [], - "ini_file": {}, - "labels": {}, - "name": "config-demo", - "namespace": "validated-patterns-secrets", - "override": [], - "paths": {}, - "type": "Opaque", - "vault_mount": "secret", - "vault_policies": {}, - "vault_prefixes": [ - "secret/region-one", - "secret/snowflake.blueprints.rhecoeng.com", - ], - }, - "config-demo-file": { - "annotations": {}, - "base64": [], - "fields": {"test": ""}, - "generate": [], - "ini_file": {}, - "labels": {}, - "name": "config-demo-file", - "namespace": "validated-patterns-secrets", - "override": [], - "paths": {"test": "/tmp/footest"}, - "type": "Opaque", - "vault_mount": "secret", - "vault_policies": {}, - "vault_prefixes": [ - "secret/region-two", - "secret/snowflake.blueprints.rhecoeng.com", - ], - }, - }, - "vault_policies": { - "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' # noqa: 501 - }, -} - -PARSED_SECRET_FILE_B64_INJECTION_TEST = { - "parsed_secrets": { - "config-demo": { - "annotations": {}, - "base64": [], - "fields": {"secret": "value123"}, - "generate": [], - "ini_file": {}, - "labels": {}, - "name": "config-demo", - "namespace": "validated-patterns-secrets", - "override": [], - "paths": {}, - "type": "Opaque", - "vault_mount": "secret", - "vault_policies": {}, - "vault_prefixes": [ - "secret/region-one", - "secret/snowflake.blueprints.rhecoeng.com", - ], - }, - "config-demo-file": { - "annotations": {}, - "base64": ["test"], - "fields": {"test": ""}, - "generate": [], - "ini_file": {}, - "labels": {}, - "name": "config-demo-file", - "namespace": "validated-patterns-secrets", - "override": [], - "paths": {"test": "/tmp/footest"}, - "type": "Opaque", - "vault_mount": "secret", - "vault_policies": {}, - "vault_prefixes": [ - "secret/region-two", - "secret/snowflake.blueprints.rhecoeng.com", - ], - }, - }, - "vault_policies": { - "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' # noqa: 501 - }, -} diff --git a/common/ansible/tests/unit/test_vault_load_parsed_secrets.py b/common/ansible/tests/unit/test_vault_load_parsed_secrets.py deleted file mode 100644 index 66ec6b69..00000000 --- a/common/ansible/tests/unit/test_vault_load_parsed_secrets.py +++ /dev/null @@ -1,321 +0,0 @@ -# Copyright 2022 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Simple module to test vault_load_parsed_secrets -""" - -import json -import os -import sys -import unittest -from unittest.mock import call, patch - -import test_util_datastructures -from ansible.module_utils import basic -from ansible.module_utils.common.text.converters import to_bytes - -# TODO(bandini): I could not come up with something better to force the imports to be existing -# when we 'import vault_load_secrets' -sys.path.insert(1, "./ansible/plugins/module_utils") -sys.path.insert(1, "./ansible/plugins/modules") - -import vault_load_parsed_secrets # noqa: E402 - -sys.modules["ansible.modules.vault_load_parsed_secrets"] = vault_load_parsed_secrets - - -def set_module_args(args): - """prepare arguments so that they will be picked up during module creation""" - args = json.dumps({"ANSIBLE_MODULE_ARGS": args}) - basic._ANSIBLE_ARGS = to_bytes(args) - - -class AnsibleExitJson(Exception): - """Exception class to be raised by module.exit_json and caught by the test case""" - - pass - - -class AnsibleFailJson(Exception): - """Exception class to be raised by module.fail_json and caught by the test case""" - - pass - - -def exit_json(*args, **kwargs): - """function to patch over exit_json; package return data into an exception""" - if "changed" not in kwargs: - kwargs["changed"] = False - raise AnsibleExitJson(kwargs) - - -def fail_json(*args, **kwargs): - """function to patch over fail_json; package return data into an exception""" - kwargs["failed"] = True - kwargs["args"] = args - raise AnsibleFailJson(kwargs) - - -class TestMyModule(unittest.TestCase): - - def setUp(self): - self.mock_module_helper = patch.multiple( - basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json - ) - self.mock_module_helper.start() - self.addCleanup(self.mock_module_helper.stop) - self.testdir_v2 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v2") - - def tearDown(self): - return - - def test_module_fail_when_required_args_missing(self): - with self.assertRaises(AnsibleFailJson): - set_module_args({}) - vault_load_parsed_secrets.main() - - # For these tests, we need the data structures that parse_secrets_info outputs. - # Several have been saved in the test_util_datastructures module for this purpose - def test_ensure_value_injection_works(self): - set_module_args( - { - "parsed_secrets": test_util_datastructures.PARSED_SECRET_VALUE_TEST[ - "parsed_secrets" - ], - "vault_policies": test_util_datastructures.PARSED_SECRET_VALUE_TEST[ - "vault_policies" - ], - } - ) - with patch.object( - vault_load_parsed_secrets.VaultSecretLoader, "_run_command" - ) as mock_run_command: - stdout = "" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_parsed_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 2 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret hub/config-demo secret='\"'value123'\"'\"", # noqa: E501 - attempts=3, - ), - ] - print(mock_run_command.mock_calls) - mock_run_command.assert_has_calls(calls) - - def test_ensure_b64_value_injection_works(self): - set_module_args( - { - "parsed_secrets": test_util_datastructures.PARSED_SECRET_B64_VALUE_TEST[ - "parsed_secrets" - ], - "vault_policies": test_util_datastructures.PARSED_SECRET_B64_VALUE_TEST[ - "vault_policies" - ], - } - ) - with patch.object( - vault_load_parsed_secrets.VaultSecretLoader, "_run_command" - ) as mock_run_command: - stdout = "" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_parsed_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 2 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret hub/config-demo secret='\"'dmFsdWUxMjMK'\"'\"", # noqa: E501 - attempts=3, - ), - ] - print(mock_run_command.mock_calls) - mock_run_command.assert_has_calls(calls) - - def test_ensure_file_injection_works(self): - set_module_args( - { - "parsed_secrets": test_util_datastructures.PARSED_SECRET_FILE_INJECTION_TEST[ - "parsed_secrets" - ], - "vault_policies": test_util_datastructures.PARSED_SECRET_FILE_INJECTION_TEST[ - "vault_policies" - ], - } - ) - with patch.object( - vault_load_parsed_secrets.VaultSecretLoader, "_run_command" - ) as mock_run_command: - stdout = "" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_parsed_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 5 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/region-one/config-demo secret='\"'value123'\"'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo secret='\"'value123'\"'\"", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/footest' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/region-two/config-demo-file test=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/footest' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo-file test=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - ] - print(mock_run_command.mock_calls) - mock_run_command.assert_has_calls(calls) - - def test_ensure_file_b64_injection_works(self): - set_module_args( - { - "parsed_secrets": test_util_datastructures.PARSED_SECRET_FILE_B64_INJECTION_TEST[ - "parsed_secrets" - ], - "vault_policies": test_util_datastructures.PARSED_SECRET_FILE_B64_INJECTION_TEST[ - "vault_policies" - ], - } - ) - with patch.object( - vault_load_parsed_secrets.VaultSecretLoader, "_run_command" - ) as mock_run_command: - stdout = "" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_parsed_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 5 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/region-one/config-demo secret='\"'value123'\"'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo secret='\"'value123'\"'\"", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/footest' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0> /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/region-two/config-demo-file test=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/footest' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0> /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo-file test=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - ] - print(mock_run_command.mock_calls) - mock_run_command.assert_has_calls(calls) - - def test_ensure_b64_generate_passwords_works(self): - set_module_args( - { - "parsed_secrets": test_util_datastructures.GENERATE_POLICY_B64_TEST[ - "parsed_secrets" - ], - "vault_policies": test_util_datastructures.GENERATE_POLICY_B64_TEST[ - "vault_policies" - ], - } - ) - with patch.object( - vault_load_parsed_secrets.VaultSecretLoader, "_run_command" - ) as mock_run_command: - stdout = "" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_parsed_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 4 - - calls = [ - call( - 'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy policy=@/tmp/basicPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | base64 --wrap=0 | vault kv put -mount=secret region-one/config-demo secret=-"', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | base64 --wrap=0 | vault kv put -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret=-"', # noqa: E501 - attempts=3, - ), - ] - print(mock_run_command.mock_calls) - mock_run_command.assert_has_calls(calls) - - -if __name__ == "__main__": - unittest.main() diff --git a/common/ansible/tests/unit/test_vault_load_secrets.py b/common/ansible/tests/unit/test_vault_load_secrets.py deleted file mode 100644 index 03d25d8c..00000000 --- a/common/ansible/tests/unit/test_vault_load_secrets.py +++ /dev/null @@ -1,389 +0,0 @@ -# Copyright 2022 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Simple module to test vault_load_secrets -""" - -import json -import os -import sys -import unittest -from unittest.mock import call, patch - -from ansible.module_utils import basic -from ansible.module_utils.common.text.converters import to_bytes - -# TODO(bandini): I could not come up with something better to force the imports to be existing -# when we 'import vault_load_secrets' -sys.path.insert(1, "./ansible/plugins/module_utils") -sys.path.insert(1, "./ansible/plugins/modules") -import load_secrets_common # noqa: E402 - -sys.modules["ansible.module_utils.load_secrets_common"] = load_secrets_common -import load_secrets_v1 # noqa: E402 -import load_secrets_v2 # noqa: E402 - -sys.modules["ansible.module_utils.load_secrets_v1"] = load_secrets_v1 -sys.modules["ansible.module_utils.load_secrets_v2"] = load_secrets_v2 -import vault_load_secrets # noqa: E402 - - -def set_module_args(args): - """prepare arguments so that they will be picked up during module creation""" - args = json.dumps({"ANSIBLE_MODULE_ARGS": args}) - basic._ANSIBLE_ARGS = to_bytes(args) - - -class AnsibleExitJson(Exception): - """Exception class to be raised by module.exit_json and caught by the test case""" - - pass - - -class AnsibleFailJson(Exception): - """Exception class to be raised by module.fail_json and caught by the test case""" - - pass - - -def exit_json(*args, **kwargs): - """function to patch over exit_json; package return data into an exception""" - if "changed" not in kwargs: - kwargs["changed"] = False - raise AnsibleExitJson(kwargs) - - -def fail_json(*args, **kwargs): - """function to patch over fail_json; package return data into an exception""" - kwargs["failed"] = True - kwargs["args"] = args - raise AnsibleFailJson(kwargs) - - -class TestMyModule(unittest.TestCase): - - def setUp(self): - self.mock_module_helper = patch.multiple( - basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json - ) - self.mock_module_helper.start() - self.addCleanup(self.mock_module_helper.stop) - self.testdir_v1 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v1") - self.testfile = open("/tmp/ca.crt", "w") - - def tearDown(self): - self.testfile.close() - try: - os.remove("/tmp/ca.crt") - except OSError: - pass - - def test_module_fail_when_required_args_missing(self): - with self.assertRaises(AnsibleFailJson): - set_module_args({}) - vault_load_secrets.main() - - def test_module_fail_when_values_secret_not_existing(self): - with self.assertRaises(AnsibleExitJson) as ansible_err: - set_module_args( - { - "values_secrets": "/tmp/nonexisting", - } - ) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - self.assertEqual(ret["error"], "Missing /tmp/nonexisting file") - self.assertEqual( - ret["msg"], "Values secrets file does not exist: /tmp/nonexisting" - ) - - def test_ensure_empty_files_but_not_secrets_is_ok(self): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v1, - "values-secret-empty-files.yaml", - ) - } - ) - - with patch.object( - load_secrets_v1.LoadSecretsV1, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 2 - - calls = [ - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/config-demo' secret='VALUE'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/aws' access_key_id='VALUE' secret_access_key='VALUE'\"", # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_ensure_broken_files_fail(self): - for i in ( - "values-secret-broken1.yaml", - "values-secret-broken2.yaml", - "values-secret-broken3.yaml", - ): - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args({"values_secrets": os.path.join(self.testdir_v1, i)}) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - - def test_ensure_empty_secrets_but_not_files_is_ok(self): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v1, - "values-secret-empty-secrets.yaml", - ), - } - ) - - with patch.object( - load_secrets_v1.LoadSecretsV1, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 1 - - calls = [ - call( - "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'base64 --wrap=0 /tmp/vcontent | vault kv put secret/hub/publickey b64content=- content=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_ensure_command_called(self): - set_module_args( - {"values_secrets": os.path.join(self.testdir_v1, "values-secret-good.yaml")} - ) - - with patch.object( - load_secrets_v1.LoadSecretsV1, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 9 - - calls = [ - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/config-demo' secret='demo123'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/googleapi' key='test123'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/cluster_alejandro' name='alejandro' bearerToken='sha256~bumxi-012345678901233455675678678098-abcdef'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/test' s3.accessKey='1234' s3.secretKey='4321' s3Secret='czMuYWNjZXNzS2V5OiAxMjM0CnMzLnNlY3JldEtleTogNDMyMQ=='\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/test2' s3.accessKey='accessKey' s3.secretKey='secretKey' s3Secret='fooo'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/test3' s3.accessKey='aaaaa' s3.secretKey='bbbbbbbb' s3Secret='czMuYWNjZXNzS2V5OiBhYWFhYQpzMy5zZWNyZXRLZXk6IGJiYmJiYmJi'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/region-one/config-demo' secret='region123'\"", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'base64 --wrap=0 /tmp/vcontent | vault kv put secret/hub/cluster_alejandro_ca b64content=- content=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'base64 --wrap=0 /tmp/vcontent | vault kv put secret/region-one/ca b64content=- content=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_ensure_good_template_checking(self): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v1, "mcg-values-secret.yaml" - ), - "check_missing_secrets": True, - "values_secret_template": os.path.join( - self.testdir_v1, "template-mcg-working.yaml" - ), - } - ) - with patch.object( - load_secrets_v1.LoadSecretsV1, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 1 - - calls = [ - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/config-demo' secret='VALUE' additionalsecret='test'\"", # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_ensure_bad_template_checking(self): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v1, "mcg-values-secret.yaml" - ), - "check_missing_secrets": True, - "values_secret_template": os.path.join( - self.testdir_v1, "template-mcg-missing.yaml" - ), - } - ) - with patch.object( - load_secrets_v1.LoadSecretsV1, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr - - with self.assertRaises(AnsibleFailJson) as result: - vault_load_secrets.main() - self.assertTrue(result.exception.args[0]["failed"]) - # In case of failure args[1] contains the msg of the failure - assert ( - result.exception.args[0]["args"][1] - == "Values secret yaml is missing needed secrets from the templates: {'secrets.config-demo.foo'}" - ) - assert mock_run_command.call_count == 0 - - def test_ensure_fqdn_secrets(self): - set_module_args( - {"values_secrets": os.path.join(self.testdir_v1, "values-secret-fqdn.yaml")} - ) - - with patch.object( - load_secrets_v1.LoadSecretsV1, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 3 - - calls = [ - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/test' secret1='foo'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/region-one.blueprints.rhecoeng.com/config-demo' secret='region123'\"", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'base64 --wrap=0 /tmp/vcontent | vault kv put secret/region-one/ca b64content=- content=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_ensure_check_missing_secrets_errors_out(self): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v1, "mcg-values-secret.yaml" - ), - "check_missing_secrets": True, - "values_secret_template": "", - } - ) - with patch.object( - load_secrets_v1.LoadSecretsV1, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr - - with self.assertRaises(AnsibleFailJson) as result: - vault_load_secrets.main() - self.assertTrue(result.exception.args[0]["failed"]) - # In case of failure args[1] contains the msg of the failure - assert ( - result.exception.args[0]["args"][1] - == "No values_secret_template defined and check_missing_secrets set to True" - ) - assert mock_run_command.call_count == 0 - - -if __name__ == "__main__": - unittest.main() diff --git a/common/ansible/tests/unit/test_vault_load_secrets_v2.py b/common/ansible/tests/unit/test_vault_load_secrets_v2.py deleted file mode 100644 index 7b934320..00000000 --- a/common/ansible/tests/unit/test_vault_load_secrets_v2.py +++ /dev/null @@ -1,761 +0,0 @@ -# Copyright 2022 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Simple module to test vault_load_secrets -""" - -import configparser -import json -import os -import sys -import unittest -from unittest import mock -from unittest.mock import call, patch - -from ansible.module_utils import basic -from ansible.module_utils.common.text.converters import to_bytes - -# TODO(bandini): I could not come up with something better to force the imports to be existing -# when we 'import vault_load_secrets' -sys.path.insert(1, "./ansible/plugins/module_utils") -sys.path.insert(1, "./ansible/plugins/modules") -import load_secrets_common # noqa: E402 - -sys.modules["ansible.module_utils.load_secrets_common"] = load_secrets_common -import load_secrets_v1 # noqa: E402 -import load_secrets_v2 # noqa: E402 - -sys.modules["ansible.module_utils.load_secrets_v1"] = load_secrets_v1 -sys.modules["ansible.module_utils.load_secrets_v2"] = load_secrets_v2 -import vault_load_secrets # noqa: E402 - - -def set_module_args(args): - """prepare arguments so that they will be picked up during module creation""" - args = json.dumps({"ANSIBLE_MODULE_ARGS": args}) - basic._ANSIBLE_ARGS = to_bytes(args) - - -class AnsibleExitJson(Exception): - """Exception class to be raised by module.exit_json and caught by the test case""" - - pass - - -class AnsibleFailJson(Exception): - """Exception class to be raised by module.fail_json and caught by the test case""" - - pass - - -def exit_json(*args, **kwargs): - """function to patch over exit_json; package return data into an exception""" - if "changed" not in kwargs: - kwargs["changed"] = False - raise AnsibleExitJson(kwargs) - - -def fail_json(*args, **kwargs): - """function to patch over fail_json; package return data into an exception""" - kwargs["failed"] = True - kwargs["args"] = args - raise AnsibleFailJson(kwargs) - - -@mock.patch("getpass.getpass") -class TestMyModule(unittest.TestCase): - - def create_inifile(self): - self.inifile = open("/tmp/awscredentials", "w") - config = configparser.ConfigParser() - config["default"] = { - "aws_access_key_id": "123123", - "aws_secret_access_key": "abcdefghi", - } - config["foobar"] = { - "aws_access_key_id": "345345", - "aws_secret_access_key": "rstuvwxyz", - } - with self.inifile as configfile: - config.write(configfile) - - def setUp(self): - self.mock_module_helper = patch.multiple( - basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json - ) - self.mock_module_helper.start() - self.addCleanup(self.mock_module_helper.stop) - self.testdir_v2 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v2") - self.testfile = open("/tmp/ca.crt", "w") - self.create_inifile() - - def tearDown(self): - self.testfile.close() - try: - os.remove("/tmp/ca.crt") - # os.remove("/tmp/awscredentials") - except OSError: - pass - - def test_module_fail_when_required_args_missing(self, getpass): - with self.assertRaises(AnsibleFailJson): - set_module_args({}) - vault_load_secrets.main() - - def test_module_fail_when_values_secret_not_existing(self, getpass): - with self.assertRaises(AnsibleExitJson) as ansible_err: - set_module_args( - { - "values_secrets": "/tmp/nonexisting", - } - ) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - self.assertEqual(ret["error"], "Missing /tmp/nonexisting file") - self.assertEqual( - ret["msg"], "Values secrets file does not exist: /tmp/nonexisting" - ) - - def test_ensure_no_vault_policies_is_ok(self, getpass): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-nopolicies.yaml" - ), - } - ) - getpass.return_value = "foo" - with patch.object( - load_secrets_v2.LoadSecretsV2, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 5 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/region-one/config-demo secret='value123'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo secret='value123'\"", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0 > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/region-two/config-demo-file ca_crt=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0 > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo-file ca_crt=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_ensure_policies_are_injected(self, getpass): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-base.yaml" - ), - } - ) - # this will be used for both a secret and a file path - getpass.return_value = "/tmp/ca.crt" - with patch.object( - load_secrets_v2.LoadSecretsV2, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 11 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy policy=@/tmp/basicPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/advancedPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/advancedPolicy policy=@/tmp/advancedPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | vault kv put -mount=secret region-one/config-demo secret=-"', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | vault kv put -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret=-"', # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv patch -mount=secret region-one/config-demo secret2='/tmp/ca.crt'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv patch -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret2='/tmp/ca.crt'\"", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv patch -mount=secret region-one/config-demo ca_crt=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv patch -mount=secret snowflake.blueprints.rhecoeng.com/config-demo ca_crt=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0 > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv patch -mount=secret region-one/config-demo ca_crt2=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - call( - "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0 > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv patch -mount=secret snowflake.blueprints.rhecoeng.com/config-demo ca_crt2=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_ensure_error_wrong_onmissing_value(self, getpass): - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-wrong-onmissingvalue.yaml" - ), - } - ) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ( - ret["args"][1] - == "Secret has vaultPolicy set to nonExisting but no such policy exists" - ) - - def test_ensure_error_wrong_vaultpolicy(self, getpass): - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-wrong-vaultpolicy.yaml" - ), - } - ) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ( - ret["args"][1] - == "Secret has vaultPolicy set to nonExisting but no such policy exists" - ) - - def test_ensure_error_file_wrong_onmissing_value(self, getpass): - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, - "values-secret-v2-files-wrong-onmissingvalue.yaml", - ), - } - ) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ( - ret["args"][1] - == "Secret has onMissingValue set to 'generate' but has a path set" - ) - - def test_ensure_error_file_emptypath(self, getpass): - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-files-emptypath.yaml" - ), - } - ) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ( - ret["args"][1] - == "Secret has onMissingValue set to 'error' and has neither value nor path nor ini_file set" - ) - - def test_ensure_error_file_wrongpath(self, getpass): - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-files-wrongpath.yaml" - ), - } - ) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ret["args"][1] == "Field has non-existing path: /tmp/nonexisting" - - def test_ensure_error_empty_vaultprefix(self, getpass): - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-emptyvaultprefix.yaml" - ), - } - ) - vault_load_secrets.main() - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ret["args"][1] == "Secret config-demo has empty vaultPrefixes" - - def test_ensure_default_no_vaultprefix(self, getpass): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-novaultprefix.yaml" - ), - } - ) - with patch.object( - load_secrets_v2.LoadSecretsV2, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 2 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret hub/config-demo secret='value123'\"", # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_ensure_only_generate_passwords_works(self, getpass): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-onlygenerate.yaml" - ), - } - ) - with patch.object( - load_secrets_v2.LoadSecretsV2, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 7 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy policy=@/tmp/basicPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/advancedPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/advancedPolicy policy=@/tmp/advancedPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | vault kv put -mount=foo region-one/config-demo secret=-"', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | vault kv put -mount=foo snowflake.blueprints.rhecoeng.com/config-demo secret=-"', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/advancedPolicy/generate | vault kv patch -mount=foo region-one/config-demo secret2=-"', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/advancedPolicy/generate | vault kv patch -mount=foo snowflake.blueprints.rhecoeng.com/config-demo secret2=-"', # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_generate_password_base64_works(self, getpass): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-generate-base64.yaml" - ), - } - ) - with patch.object( - load_secrets_v2.LoadSecretsV2, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 4 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy policy=@/tmp/basicPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | base64 --wrap=0 | vault kv put -mount=secret region-one/config-demo secret=-"', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | base64 --wrap=0 | vault kv put -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret=-"', # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_ensure_error_secrets_same_name(self, getpass): - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-same-secret-names.yaml" - ), - } - ) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ( - ret["args"][1] == "You cannot have duplicate secret names: ['config-demo']" - ) - - def test_ensure_error_fields_same_name(self, getpass): - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-same-field-names.yaml" - ), - } - ) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ret["args"][1] == "You cannot have duplicate field names: ['secret']" - - def test_password_base64_secret(self, getpass): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-secret-base64.yaml" - ), - } - ) - with patch.object( - load_secrets_v2.LoadSecretsV2, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 2 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret test/config-demo secret='Zm9v'\"", # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_ensure_error_on_unsupported_backingstore(self, getpass): - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, - "values-secret-v2-nonexisting-backingstore.yaml", - ), - } - ) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ( - ret["args"][1] - == "Currently only the 'vault' backingStore is supported: nonexisting" - ) - - def test_password_default_vp_policy(self, getpass): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-defaultvp-policy.yaml" - ), - } - ) - with patch.object( - load_secrets_v2.LoadSecretsV2, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 6 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy policy=@/tmp/basicPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | vault kv put -mount=secret region-one/config-demo secret=-"', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | vault kv put -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret=-"', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/validatedPatternDefaultPolicy/generate | vault kv patch -mount=secret region-one/config-demo secret2=-"', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/validatedPatternDefaultPolicy/generate | vault kv patch -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret2=-"', # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_ensure_error_on_wrong_override(self, getpass): - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, - "values-secret-v2-wrong-override.yaml", - ), - } - ) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ( - ret["args"][1] - == "'override' attribute requires 'onMissingValue' to be set to 'generate'" - ) - - def test_ensure_override_works(self, getpass): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-test-override.yaml" - ), - } - ) - # this will be used for both a secret and a file path - getpass.return_value = "/tmp/ca.crt" - with patch.object( - load_secrets_v2.LoadSecretsV2, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 5 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy policy=@/tmp/basicPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/advancedPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/advancedPolicy policy=@/tmp/advancedPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault kv get -mount=secret -field=secret region-one/config-demo"', # noqa: E501 - attempts=1, - checkrc=False, - ), - call( - 'oc exec -n vault vault-0 -i -- sh -c "vault kv get -mount=secret -field=secret snowflake.blueprints.rhecoeng.com/config-demo"', # noqa: E501 - attempts=1, - checkrc=False, - ), - ] - mock_run_command.assert_has_calls(calls) - - def test_ensure_error_wrong_ini_file(self, getpass): - with self.assertRaises(AnsibleFailJson) as ansible_err: - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-wrong-ini-file.yaml" - ), - } - ) - vault_load_secrets.main() - - ret = ansible_err.exception.args[0] - self.assertEqual(ret["failed"], True) - assert ret["args"][1] == "ini_file requires at least ini_key to be defined" - - def test_ensure_ini_file_works(self, getpass): - set_module_args( - { - "values_secrets": os.path.join( - self.testdir_v2, "values-secret-v2-ini-file.yaml" - ), - } - ) - with patch.object( - load_secrets_v2.LoadSecretsV2, "_run_command" - ) as mock_run_command: - stdout = "configuration updated" - stderr = "" - ret = 0 - mock_run_command.return_value = ret, stdout, stderr # successful execution - - with self.assertRaises(AnsibleExitJson) as result: - vault_load_secrets.main() - self.assertTrue( - result.exception.args[0]["changed"] - ) # ensure result is changed - assert mock_run_command.call_count == 5 - - calls = [ - call( - 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret hub/aws aws_access_key_id='123123'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv patch -mount=secret hub/aws aws_secret_access_key='abcdefghi'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret hub/awsfoobar aws_access_key_id='345345'\"", # noqa: E501 - attempts=3, - ), - call( - "oc exec -n vault vault-0 -i -- sh -c \"vault kv patch -mount=secret hub/awsfoobar aws_secret_access_key='rstuvwxyz'\"", # noqa: E501 - attempts=3, - ), - ] - mock_run_command.assert_has_calls(calls) - - -if __name__ == "__main__": - unittest.main() diff --git a/common/ansible/tests/unit/v1/mcg-values-secret.yaml b/common/ansible/tests/unit/v1/mcg-values-secret.yaml deleted file mode 100644 index 8586f1a6..00000000 --- a/common/ansible/tests/unit/v1/mcg-values-secret.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -secrets: - # NEVER COMMIT THESE VALUES TO GIT - config-demo: - # Secret used for demonstrating vault storage, external secrets, and ACM distribution - secret: VALUE - additionalsecret: test - - # Required for automated spoke deployment - # aws: - # access_key_id: VALUE - # secret_access_key: VALUE - -# Required for automated spoke deployment -files: - # # ssh-rsa AAA... - # publickey: ~/.ssh/id_rsa.pub - # - # # -----BEGIN RSA PRIVATE KEY - # # ... - # # -----END RSA PRIVATE KEY - # privatekey: ~/.ssh/id_rsa - # - # # {"auths":{"cloud.openshift.com":{"auth":"b3Blb... }}} - # openshiftPullSecret: ~/.dockerconfigjson - # - # azureOsServicePrincipal: ~/osServicePrincipal.json diff --git a/common/ansible/tests/unit/v1/template-mcg-missing.yaml b/common/ansible/tests/unit/v1/template-mcg-missing.yaml deleted file mode 100644 index eca36b2e..00000000 --- a/common/ansible/tests/unit/v1/template-mcg-missing.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -secrets: - # NEVER COMMIT THESE VALUES TO GIT - config-demo: - # Secret used for demonstrating vault storage, external secrets, and ACM distribution - secret: VALUE - foo: bar - - # Required for automated spoke deployment - # aws: - # access_key_id: VALUE - # secret_access_key: VALUE - -# Required for automated spoke deployment -files: - # # ssh-rsa AAA... - # publickey: ~/.ssh/id_rsa.pub - # - # # -----BEGIN RSA PRIVATE KEY - # # ... - # # -----END RSA PRIVATE KEY - # privatekey: ~/.ssh/id_rsa - # - # # {"auths":{"cloud.openshift.com":{"auth":"b3Blb... }}} - # openshiftPullSecret: ~/.dockerconfigjson - # - # azureOsServicePrincipal: ~/osServicePrincipal.json diff --git a/common/ansible/tests/unit/v1/template-mcg-working.yaml b/common/ansible/tests/unit/v1/template-mcg-working.yaml deleted file mode 100644 index 8445c6f3..00000000 --- a/common/ansible/tests/unit/v1/template-mcg-working.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -secrets: - # NEVER COMMIT THESE VALUES TO GIT - config-demo: - # Secret used for demonstrating vault storage, external secrets, and ACM distribution - secret: VALUE - - # Required for automated spoke deployment - # aws: - # access_key_id: VALUE - # secret_access_key: VALUE - -# Required for automated spoke deployment -files: - # # ssh-rsa AAA... - # publickey: ~/.ssh/id_rsa.pub - # - # # -----BEGIN RSA PRIVATE KEY - # # ... - # # -----END RSA PRIVATE KEY - # privatekey: ~/.ssh/id_rsa - # - # # {"auths":{"cloud.openshift.com":{"auth":"b3Blb... }}} - # openshiftPullSecret: ~/.dockerconfigjson - # - # azureOsServicePrincipal: ~/osServicePrincipal.json diff --git a/common/ansible/tests/unit/v1/values-secret-broken1.yaml b/common/ansible/tests/unit/v1/values-secret-broken1.yaml deleted file mode 100644 index ecfc9df4..00000000 --- a/common/ansible/tests/unit/v1/values-secret-broken1.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -secrets: - # empty - -files: - # empty diff --git a/common/ansible/tests/unit/v1/values-secret-broken2.yaml b/common/ansible/tests/unit/v1/values-secret-broken2.yaml deleted file mode 100644 index 82477acd..00000000 --- a/common/ansible/tests/unit/v1/values-secret-broken2.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# secrets: -# empty - -# files: -# empty diff --git a/common/ansible/tests/unit/v1/values-secret-broken3.yaml b/common/ansible/tests/unit/v1/values-secret-broken3.yaml deleted file mode 100644 index 6d7295ba..00000000 --- a/common/ansible/tests/unit/v1/values-secret-broken3.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -secrets: - - borked1 - - borked2 - -files: - foo: - - broken - - broken2 diff --git a/common/ansible/tests/unit/v1/values-secret-empty-files.yaml b/common/ansible/tests/unit/v1/values-secret-empty-files.yaml deleted file mode 100644 index 078166a0..00000000 --- a/common/ansible/tests/unit/v1/values-secret-empty-files.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -secrets: - # NEVER COMMIT THESE VALUES TO GIT - config-demo: - # Secret used for demonstrating vault storage, external secrets, and ACM distribution - secret: VALUE - - # Required for automated spoke deployment - aws: - access_key_id: VALUE - secret_access_key: VALUE - -# Required for automated spoke deployment -files: - # # ssh-rsa AAA... diff --git a/common/ansible/tests/unit/v1/values-secret-empty-secrets.yaml b/common/ansible/tests/unit/v1/values-secret-empty-secrets.yaml deleted file mode 100644 index 13739a27..00000000 --- a/common/ansible/tests/unit/v1/values-secret-empty-secrets.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -secrets: - # NEVER COMMIT THESE VALUES TO GIT - # config-demo: - # # Secret used for demonstrating vault storage, external secrets, and ACM distribution - # secret: VALUE - - # # Required for automated spoke deployment - # aws: - # access_key_id: VALUE - # secret_access_key: VALUE - -# Required for automated spoke deployment -files: - # # ssh-rsa AAA... - publickey: /tmp/ca.crt diff --git a/common/ansible/tests/unit/v1/values-secret-fqdn.yaml b/common/ansible/tests/unit/v1/values-secret-fqdn.yaml deleted file mode 100644 index c77496c1..00000000 --- a/common/ansible/tests/unit/v1/values-secret-fqdn.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -secrets: - test: - secret1: foo - -secrets.region-one.blueprints.rhecoeng.com: - config-demo: - secret: region123 - -files.region-one: - ca: /tmp/ca.crt diff --git a/common/ansible/tests/unit/v1/values-secret-good.yaml b/common/ansible/tests/unit/v1/values-secret-good.yaml deleted file mode 100644 index 6db47285..00000000 --- a/common/ansible/tests/unit/v1/values-secret-good.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -secrets: - # NEVER COMMIT THESE VALUES TO GIT - config-demo: - # Secret used for demonstrating vault storage, external secrets, and ACM distribution - secret: demo123 - googleapi: - key: test123 - - cluster_alejandro: - name: alejandro - bearerToken: sha256~bumxi-012345678901233455675678678098-abcdef - - test: - s3.accessKey: "1234" - s3.secretKey: "4321" - - test2: - s3.accessKey: accessKey - s3.secretKey: secretKey - s3Secret: fooo - - test3: - s3.accessKey: "aaaaa" - s3.secretKey: "bbbbbbbb" - -files: - # oc extract -n openshift-config cm/kube-root-ca.crt --to=/home/michele/ --keys=ca.crt - cluster_alejandro_ca: /tmp/ca.crt - -secrets.region-one: - config-demo: - secret: region123 - -files.region-one: - ca: /tmp/ca.crt diff --git a/common/ansible/tests/unit/v2/aws-example.ini b/common/ansible/tests/unit/v2/aws-example.ini deleted file mode 100644 index 5e38bfd8..00000000 --- a/common/ansible/tests/unit/v2/aws-example.ini +++ /dev/null @@ -1,4 +0,0 @@ -; https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html -[default] -aws_access_key_id = A123456789012345678A -aws_secret_access_key = A12345678901234567890123456789012345678A diff --git a/common/ansible/tests/unit/v2/test-file-contents b/common/ansible/tests/unit/v2/test-file-contents deleted file mode 100644 index 49c9a88c..00000000 --- a/common/ansible/tests/unit/v2/test-file-contents +++ /dev/null @@ -1 +0,0 @@ -This space intentionally left blank diff --git a/common/ansible/tests/unit/v2/test-file-contents.b64 b/common/ansible/tests/unit/v2/test-file-contents.b64 deleted file mode 100644 index da896ba7..00000000 --- a/common/ansible/tests/unit/v2/test-file-contents.b64 +++ /dev/null @@ -1 +0,0 @@ -VGhpcyBzcGFjZSBpbnRlbnRpb25hbGx5IGxlZnQgYmxhbmsK \ No newline at end of file diff --git a/common/ansible/tests/unit/v2/values-secret-v2-base-k8s-backend.yaml b/common/ansible/tests/unit/v2/values-secret-v2-base-k8s-backend.yaml deleted file mode 100644 index 7194ebc3..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-base-k8s-backend.yaml +++ /dev/null @@ -1,9 +0,0 @@ -version: "2.0" - -backingStore: kubernetes - -secrets: - - name: config-demo - fields: - - name: secret - value: secret diff --git a/common/ansible/tests/unit/v2/values-secret-v2-base-none-backend.yaml b/common/ansible/tests/unit/v2/values-secret-v2-base-none-backend.yaml deleted file mode 100644 index 4e1e3cd2..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-base-none-backend.yaml +++ /dev/null @@ -1,11 +0,0 @@ -version: "2.0" - -backingStore: none - -secrets: - - name: config-demo - targetNamespaces: - - default - fields: - - name: secret - value: secret diff --git a/common/ansible/tests/unit/v2/values-secret-v2-base-unknown-backend.yaml b/common/ansible/tests/unit/v2/values-secret-v2-base-unknown-backend.yaml deleted file mode 100644 index e1f4c6d5..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-base-unknown-backend.yaml +++ /dev/null @@ -1,9 +0,0 @@ -version: "2.0" - -backingStore: unknown - -secrets: - - name: config-demo - fields: - - name: secret - value: secret diff --git a/common/ansible/tests/unit/v2/values-secret-v2-base.yaml b/common/ansible/tests/unit/v2/values-secret-v2-base.yaml deleted file mode 100644 index bf9670d8..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-base.yaml +++ /dev/null @@ -1,38 +0,0 @@ -version: "2.0" - -backingStore: vault - -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - - advancedPolicy: | - length=20 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - rule "charset" { charset = "!@#%^&*" min-chars = 1 } - -secrets: - - name: config-demo - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret - onMissingValue: generate - override: true - vaultPolicy: basicPolicy - - name: secret2 - value: null - onMissingValue: prompt - - name: ca_crt - path: /tmp/ca.crt - onMissingValue: error - - name: ca_crt2 - path: null - base64: true - onMissingValue: prompt diff --git a/common/ansible/tests/unit/v2/values-secret-v2-block-yamlstring.yaml b/common/ansible/tests/unit/v2/values-secret-v2-block-yamlstring.yaml deleted file mode 100644 index 84165f69..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-block-yamlstring.yaml +++ /dev/null @@ -1,16 +0,0 @@ -version: "2.0" - -secrets: - - name: config-demo - fields: - - name: sshprivkey - onMissingValue: error - value: |- - ssh-rsa oNb/kAvwdQl+FKdwzzKo5rnGIB68UOxWoaKPnKdgF/ts67CDBslWGnpUZCpp8TdaxfHmpoyA6nutMwQw8OAMEUybxvilDn+ZVJ/5qgfRBdi8wLKRLTIj0v+ZW7erN9yuZG53xUQAaQjivM3cRyNLIZ9torShYaYwD1UTTDkV97RMfNDlWI5f5FGRvfy429ZfCwbUWUbijrcv/mWc/uO3x/+MBXwa4f8ubzEYlrt4yH/Vbpzs67kE9UJ9z1zurFUFJydy1ZDAdKSiBS91ImI3ccKnbz0lji2bgSYR0Wp1IQhzSpjyJU2rIu9HAEUh85Rwf2jakfLpMcg/hSBer3sG kilroy@example.com - - name: sshpubkey - onMissingValue: error - value: |- - -----BEGIN OPENSSH PRIVATE KEY----- - TtzxGgWrNerAr1hzUqPW2xphF/Aur1rQXSLv4J7frEJxNED6u/eScsNgwJMGXwRx7QYVohh0ARHVhJdUzJK7pEIphi4BGw== - wlo+oQsi828b47SKZB8/K9dbeLlLiXh9/hu47MGpeGHZsKbjAdauncuw+YUDDN2EADJjasNMZHjxYhXKtqDjXTIw1X1n0Q== - -----END OPENSSH PRIVATE KEY----- diff --git a/common/ansible/tests/unit/v2/values-secret-v2-default-annotations.yaml b/common/ansible/tests/unit/v2/values-secret-v2-default-annotations.yaml deleted file mode 100644 index af3e2f9b..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-default-annotations.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -version: "2.0" - -annotations: - test-annotation: 42 - -secrets: - - name: test-secret - fields: - - name: username - value: user - - name: password - value: testpass diff --git a/common/ansible/tests/unit/v2/values-secret-v2-default-labels.yaml b/common/ansible/tests/unit/v2/values-secret-v2-default-labels.yaml deleted file mode 100644 index 56af6586..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-default-labels.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -version: "2.0" - -defaultLabels: - testlabel: 4 - -secrets: - - name: test-secret - fields: - - name: username - value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-default-namespace.yaml b/common/ansible/tests/unit/v2/values-secret-v2-default-namespace.yaml deleted file mode 100644 index a0f4db63..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-default-namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -version: "2.0" - -secrets: - test-secret: - fields: - - name: username - value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-defaultvp-policy.yaml b/common/ansible/tests/unit/v2/values-secret-v2-defaultvp-policy.yaml deleted file mode 100644 index e284d300..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-defaultvp-policy.yaml +++ /dev/null @@ -1,25 +0,0 @@ -version: "2.0" - -backingStore: vault - -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - -secrets: - - name: config-demo - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret - onMissingValue: generate - override: true - vaultPolicy: basicPolicy - - name: secret2 - onMissingValue: generate - override: true - vaultPolicy: validatedPatternDefaultPolicy diff --git a/common/ansible/tests/unit/v2/values-secret-v2-emptyvaultprefix.yaml b/common/ansible/tests/unit/v2/values-secret-v2-emptyvaultprefix.yaml deleted file mode 100644 index df1d420a..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-emptyvaultprefix.yaml +++ /dev/null @@ -1,9 +0,0 @@ -version: "2.0" - -secrets: - - name: config-demo - vaultPrefixes: - fields: - - name: secret - value: value123 - onMissingValue: error diff --git a/common/ansible/tests/unit/v2/values-secret-v2-file-contents-b64.yaml b/common/ansible/tests/unit/v2/values-secret-v2-file-contents-b64.yaml deleted file mode 100644 index 47ed7219..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-file-contents-b64.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -version: "2.0" - -secrets: - - name: test-secret - fields: - - name: username - path: ~/test-file-contents - base64: true diff --git a/common/ansible/tests/unit/v2/values-secret-v2-file-contents-double-b64.yaml b/common/ansible/tests/unit/v2/values-secret-v2-file-contents-double-b64.yaml deleted file mode 100644 index 3a968eca..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-file-contents-double-b64.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -version: "2.0" - -secrets: - - name: test-secret - fields: - - name: username - path: ~/test-file-contents.b64 - base64: true diff --git a/common/ansible/tests/unit/v2/values-secret-v2-file-contents.yaml b/common/ansible/tests/unit/v2/values-secret-v2-file-contents.yaml deleted file mode 100644 index e2da90c2..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-file-contents.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -version: "2.0" - -secrets: - - name: test-secret - fields: - - name: username - path: ~/test-file-contents diff --git a/common/ansible/tests/unit/v2/values-secret-v2-files-emptypath.yaml b/common/ansible/tests/unit/v2/values-secret-v2-files-emptypath.yaml deleted file mode 100644 index 9c1142aa..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-files-emptypath.yaml +++ /dev/null @@ -1,25 +0,0 @@ -version: "2.0" -backingStore: vault - -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - - advancedPolicy: | - length=20 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - rule "charset" { charset = "!@#%^&*" min-chars = 1 } - -secrets: - - name: config-demo - vaultPrefixes: - - secret/region-one - - secret/snowflake.blueprints.rhecoeng.com - fields: - - name: ca_crt - onMissingValue: error diff --git a/common/ansible/tests/unit/v2/values-secret-v2-files-wrong-onmissingvalue.yaml b/common/ansible/tests/unit/v2/values-secret-v2-files-wrong-onmissingvalue.yaml deleted file mode 100644 index 36b0e715..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-files-wrong-onmissingvalue.yaml +++ /dev/null @@ -1,26 +0,0 @@ -version: "2.0" -backingStore: vault - -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - - advancedPolicy: | - length=20 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - rule "charset" { charset = "!@#%^&*" min-chars = 1 } - -secrets: - - name: config-demo - vaultPrefixes: - - secret/region-one - - secret/snowflake.blueprints.rhecoeng.com - fields: - - name: ca_crt - path: /tmp/ca.crt - onMissingValue: generate diff --git a/common/ansible/tests/unit/v2/values-secret-v2-files-wrongpath.yaml b/common/ansible/tests/unit/v2/values-secret-v2-files-wrongpath.yaml deleted file mode 100644 index 35e5cfcf..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-files-wrongpath.yaml +++ /dev/null @@ -1,26 +0,0 @@ -version: "2.0" -backingStore: vault - -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - - advancedPolicy: | - length=20 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - rule "charset" { charset = "!@#%^&*" min-chars = 1 } - -secrets: - - name: config-demo - vaultPrefixes: - - secret/region-one - - secret/snowflake.blueprints.rhecoeng.com - fields: - - name: ca_crt - path: /tmp/nonexisting - onMissingValue: error diff --git a/common/ansible/tests/unit/v2/values-secret-v2-generate-base64.yaml b/common/ansible/tests/unit/v2/values-secret-v2-generate-base64.yaml deleted file mode 100644 index eed8b402..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-generate-base64.yaml +++ /dev/null @@ -1,21 +0,0 @@ -version: "2.0" -backingStore: vault - -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - -secrets: - - name: config-demo - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret - onMissingValue: generate - base64: true - override: true - vaultPolicy: basicPolicy diff --git a/common/ansible/tests/unit/v2/values-secret-v2-generic-onlygenerate.yaml b/common/ansible/tests/unit/v2/values-secret-v2-generic-onlygenerate.yaml deleted file mode 100644 index 46992af1..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-generic-onlygenerate.yaml +++ /dev/null @@ -1,33 +0,0 @@ -version: "2.0" - -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - - advancedPolicy: | - length=20 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - rule "charset" { charset = "!@#%^&*" min-chars = 1 } - -secrets: - - name: config-demo - targetNamespaces: - - default - vaultMount: foo - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret - onMissingValue: generate - override: true - vaultPolicy: basicPolicy - - name: secret2 - onMissingValue: generate - override: true - vaultPolicy: advancedPolicy diff --git a/common/ansible/tests/unit/v2/values-secret-v2-ini-file-b64.yaml b/common/ansible/tests/unit/v2/values-secret-v2-ini-file-b64.yaml deleted file mode 100644 index ff08d20a..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-ini-file-b64.yaml +++ /dev/null @@ -1,23 +0,0 @@ -version: "2.0" -secrets: - - name: aws - fields: - - name: aws_access_key_id - ini_file: '~/aws-example.ini' - ini_section: default - ini_key: aws_access_key_id - - name: aws_secret_access_key - ini_file: '~/aws-example.ini' - ini_key: aws_secret_access_key - - name: awsb64 - fields: - - name: aws_access_key_id - ini_file: '~/aws-example.ini' - ini_section: default - ini_key: aws_access_key_id - base64: true - - name: aws_secret_access_key - ini_file: '~/aws-example.ini' - ini_section: default - ini_key: aws_secret_access_key - base64: true diff --git a/common/ansible/tests/unit/v2/values-secret-v2-ini-file.yaml b/common/ansible/tests/unit/v2/values-secret-v2-ini-file.yaml deleted file mode 100644 index c69a1429..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-ini-file.yaml +++ /dev/null @@ -1,21 +0,0 @@ -version: "2.0" -secrets: - - name: aws - fields: - - name: aws_access_key_id - ini_file: /tmp/awscredentials - ini_section: default - ini_key: aws_access_key_id - - name: aws_secret_access_key - ini_file: /tmp/awscredentials - ini_key: aws_secret_access_key - - name: awsfoobar - fields: - - name: aws_access_key_id - ini_file: /tmp/awscredentials - ini_section: foobar - ini_key: aws_access_key_id - - name: aws_secret_access_key - ini_file: /tmp/awscredentials - ini_section: foobar - ini_key: aws_secret_access_key diff --git a/common/ansible/tests/unit/v2/values-secret-v2-more-namespaces.yaml b/common/ansible/tests/unit/v2/values-secret-v2-more-namespaces.yaml deleted file mode 100644 index be409af7..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-more-namespaces.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -version: "2.0" - -secrets: - - name: test-secret - targetNamespaces: - - default - - extra - fields: - - name: username - value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-nondefault-namespace.yaml b/common/ansible/tests/unit/v2/values-secret-v2-nondefault-namespace.yaml deleted file mode 100644 index a0f4db63..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-nondefault-namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -version: "2.0" - -secrets: - test-secret: - fields: - - name: username - value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-none-no-targetnamespaces.yaml b/common/ansible/tests/unit/v2/values-secret-v2-none-no-targetnamespaces.yaml deleted file mode 100644 index 2a5ef0b6..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-none-no-targetnamespaces.yaml +++ /dev/null @@ -1,33 +0,0 @@ -version: "2.0" - -backingStore: vault - -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - - advancedPolicy: | - length=20 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - rule "charset" { charset = "!@#%^&*" min-chars = 1 } - -secrets: - - name: config-demo - vaultMount: foo - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret - onMissingValue: generate - override: true - vaultPolicy: basicPolicy - - name: secret2 - onMissingValue: generate - override: true - vaultPolicy: advancedPolicy diff --git a/common/ansible/tests/unit/v2/values-secret-v2-nonexisting-backingstore.yaml b/common/ansible/tests/unit/v2/values-secret-v2-nonexisting-backingstore.yaml deleted file mode 100644 index 906e3167..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-nonexisting-backingstore.yaml +++ /dev/null @@ -1,23 +0,0 @@ -version: "2.0" - -backingStore: nonexisting - -secrets: - - name: config-demo - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret - onMissingValue: generate - vaultPolicy: basicPolicy - - name: secret2 - value: null - onMissingValue: prompt - - name: ca_crt - path: /tmp/ca.crt - onMissingValue: error - - name: ca_crt2 - path: null - base64: true - onMissingValue: prompt diff --git a/common/ansible/tests/unit/v2/values-secret-v2-nopolicies.yaml b/common/ansible/tests/unit/v2/values-secret-v2-nopolicies.yaml deleted file mode 100644 index 3b465700..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-nopolicies.yaml +++ /dev/null @@ -1,24 +0,0 @@ -version: "2.0" - -backingStore: vault - -secrets: - - name: config-demo - vaultPrefixes: - - secret/region-one - - secret/snowflake.blueprints.rhecoeng.com - fields: - - name: secret - value: value123 - onMissingValue: error - - - name: config-demo-file - vaultPrefixes: - - secret/region-two - - secret/snowflake.blueprints.rhecoeng.com - - fields: - - name: ca_crt - path: /tmp/ca.crt - base64: true - onMissingValue: error diff --git a/common/ansible/tests/unit/v2/values-secret-v2-novaultprefix.yaml b/common/ansible/tests/unit/v2/values-secret-v2-novaultprefix.yaml deleted file mode 100644 index 92449dae..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-novaultprefix.yaml +++ /dev/null @@ -1,8 +0,0 @@ -version: "2.0" - -secrets: - - name: config-demo - fields: - - name: secret - value: value123 - onMissingValue: error diff --git a/common/ansible/tests/unit/v2/values-secret-v2-onlygenerate.yaml b/common/ansible/tests/unit/v2/values-secret-v2-onlygenerate.yaml deleted file mode 100644 index 2a5ef0b6..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-onlygenerate.yaml +++ /dev/null @@ -1,33 +0,0 @@ -version: "2.0" - -backingStore: vault - -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - - advancedPolicy: | - length=20 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - rule "charset" { charset = "!@#%^&*" min-chars = 1 } - -secrets: - - name: config-demo - vaultMount: foo - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret - onMissingValue: generate - override: true - vaultPolicy: basicPolicy - - name: secret2 - onMissingValue: generate - override: true - vaultPolicy: advancedPolicy diff --git a/common/ansible/tests/unit/v2/values-secret-v2-override-labels.yaml b/common/ansible/tests/unit/v2/values-secret-v2-override-labels.yaml deleted file mode 100644 index 13a460be..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-override-labels.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -version: "2.0" - -defaultLabels: - testlabel: 4 - -secrets: - - name: test-secret - labels: - overridelabel: 42 - fields: - - name: username - value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-override-namespace.yaml b/common/ansible/tests/unit/v2/values-secret-v2-override-namespace.yaml deleted file mode 100644 index ad53cf77..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-override-namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -version: "2.0" - -secretStoreNamespace: 'overridden-namespace' - -secrets: - - name: test-secret - fields: - - name: username - value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-override-type-none.yaml b/common/ansible/tests/unit/v2/values-secret-v2-override-type-none.yaml deleted file mode 100644 index 1d110671..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-override-type-none.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -version: "2.0" - -# This is the actual default -defaultNamespace: 'validated-patterns-secrets' - -secrets: - - name: test-secret - type: 'user-specified' - targetNamespaces: - - default - fields: - - name: username - value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-override-type.yaml b/common/ansible/tests/unit/v2/values-secret-v2-override-type.yaml deleted file mode 100644 index 1bf8e369..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-override-type.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -version: "2.0" - -# This is the actual default -defaultNamespace: 'validated-patterns-secrets' - -secrets: - - name: test-secret - type: 'user-specified' - fields: - - name: username - value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-same-field-names.yaml b/common/ansible/tests/unit/v2/values-secret-v2-same-field-names.yaml deleted file mode 100644 index 4845e269..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-same-field-names.yaml +++ /dev/null @@ -1,14 +0,0 @@ -version: "2.0" - -secrets: - - name: config-demo - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret - value: foo - onMissingValue: error - - name: secret - value: bar - onMissingValue: prompt diff --git a/common/ansible/tests/unit/v2/values-secret-v2-same-secret-names.yaml b/common/ansible/tests/unit/v2/values-secret-v2-same-secret-names.yaml deleted file mode 100644 index 3e17e536..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-same-secret-names.yaml +++ /dev/null @@ -1,20 +0,0 @@ -version: "2.0" - -secrets: - - name: config-demo - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret - value: foo - onMissingValue: error - - - name: config-demo - vaultPrefixes: - - region-two - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret2 - value: bar - onMissingValue: prompt diff --git a/common/ansible/tests/unit/v2/values-secret-v2-secret-base64.yaml b/common/ansible/tests/unit/v2/values-secret-v2-secret-base64.yaml deleted file mode 100644 index b361b34d..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-secret-base64.yaml +++ /dev/null @@ -1,11 +0,0 @@ -version: "2.0" - -secrets: - - name: config-demo - vaultPrefixes: - - test - fields: - - name: secret - value: foo - onMissingValue: error - base64: true diff --git a/common/ansible/tests/unit/v2/values-secret-v2-secret-binary-b64.yaml b/common/ansible/tests/unit/v2/values-secret-v2-secret-binary-b64.yaml deleted file mode 100644 index 579c7d6e..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-secret-binary-b64.yaml +++ /dev/null @@ -1,10 +0,0 @@ -version: "2.0" - -secrets: - - name: secret - fields: - - name: secret - # Should contain 8, 6, 7, 5, 3, 0, 9 in binary - path: '/tmp/testbinfile.bin' - onMissingValue: error - base64: true diff --git a/common/ansible/tests/unit/v2/values-secret-v2-test-override.yaml b/common/ansible/tests/unit/v2/values-secret-v2-test-override.yaml deleted file mode 100644 index 8efdd95c..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-test-override.yaml +++ /dev/null @@ -1,28 +0,0 @@ -version: "2.0" - -backingStore: vault - -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - - advancedPolicy: | - length=20 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - rule "charset" { charset = "!@#%^&*" min-chars = 1 } - -secrets: - - name: config-demo - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret - onMissingValue: generate - override: false - vaultPolicy: basicPolicy diff --git a/common/ansible/tests/unit/v2/values-secret-v2-wrong-ini-file.yaml b/common/ansible/tests/unit/v2/values-secret-v2-wrong-ini-file.yaml deleted file mode 100644 index fb9b253c..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-wrong-ini-file.yaml +++ /dev/null @@ -1,9 +0,0 @@ -version: "2.0" -secrets: - - name: aws - fields: - - name: aws_key_id - ini_file: ~/.aws/credentials - ini_section: default - # The below is required - # ini_key: aws_access_key_id diff --git a/common/ansible/tests/unit/v2/values-secret-v2-wrong-onmissingvalue.yaml b/common/ansible/tests/unit/v2/values-secret-v2-wrong-onmissingvalue.yaml deleted file mode 100644 index 2d53807e..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-wrong-onmissingvalue.yaml +++ /dev/null @@ -1,20 +0,0 @@ -version: "2.0" - -backingStore: vault - -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - -secrets: - - name: config-demo - vaultPrefixes: - - secret/region-one - - secret/snowflake.blueprints.rhecoeng.com - fields: - - name: secret - onMissingValue: generate - vaultPolicy: nonExisting diff --git a/common/ansible/tests/unit/v2/values-secret-v2-wrong-override.yaml b/common/ansible/tests/unit/v2/values-secret-v2-wrong-override.yaml deleted file mode 100644 index 650e93b5..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-wrong-override.yaml +++ /dev/null @@ -1,11 +0,0 @@ -version: "2.0" - -secrets: - - name: config-demo - vaultPrefixes: - - region-one - fields: - - name: secret - value: null - onMissingValue: prompt - override: true diff --git a/common/ansible/tests/unit/v2/values-secret-v2-wrong-vaultpolicy.yaml b/common/ansible/tests/unit/v2/values-secret-v2-wrong-vaultpolicy.yaml deleted file mode 100644 index 2d53807e..00000000 --- a/common/ansible/tests/unit/v2/values-secret-v2-wrong-vaultpolicy.yaml +++ /dev/null @@ -1,20 +0,0 @@ -version: "2.0" - -backingStore: vault - -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - -secrets: - - name: config-demo - vaultPrefixes: - - secret/region-one - - secret/snowflake.blueprints.rhecoeng.com - fields: - - name: secret - onMissingValue: generate - vaultPolicy: nonExisting diff --git a/common/clustergroup/.github/workflows/update-helm-repo.yml b/common/clustergroup/.github/workflows/update-helm-repo.yml deleted file mode 100644 index fa1d6247..00000000 --- a/common/clustergroup/.github/workflows/update-helm-repo.yml +++ /dev/null @@ -1,30 +0,0 @@ -# This invokes the workflow named 'publish-charts' in the umbrella repo -# It expects to have a secret called CHARTS_REPOS_TOKEN which contains -# the GitHub token that has permissions to invoke workflows and commit code -# inside the umbrella-repo. -# The following fine-grained permissions were used in testing and were limited -# to the umbrella repo only: -# - Actions: r/w -# - Commit statuses: r/w -# - Contents: r/w -# - Deployments: r/w -# - Pages: r/w -# - -name: vp-patterns/update-helm-repo -on: - push: - tags: - - 'v[0-9]+.[0-9]+.[0-9]+' - -jobs: - helmlint: - uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 - permissions: - contents: read - - update-helm-repo: - needs: [helmlint] - uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 - permissions: read-all - secrets: inherit diff --git a/common/clustergroup/.helmignore b/common/clustergroup/.helmignore deleted file mode 100644 index b25c15b8..00000000 --- a/common/clustergroup/.helmignore +++ /dev/null @@ -1 +0,0 @@ -*~ diff --git a/common/clustergroup/Chart.yaml b/common/clustergroup/Chart.yaml deleted file mode 100644 index 2bacbfc5..00000000 --- a/common/clustergroup/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -description: A Helm chart to create per-clustergroup ArgoCD applications and any required namespaces or subscriptions. -keywords: -- pattern -name: clustergroup -version: 0.8.12 diff --git a/common/clustergroup/README.md b/common/clustergroup/README.md deleted file mode 100644 index bb522d12..00000000 --- a/common/clustergroup/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Validated Patterns ClusterGroup chart - -This chart is used to set up the basic building blocks in [Validated Patterns](https://validatedpatterns.io) - -Please send PRs [here](https://github.com/validatedpatterns/common) diff --git a/common/clustergroup/templates/_helpers.tpl b/common/clustergroup/templates/_helpers.tpl deleted file mode 100644 index 0237e94a..00000000 --- a/common/clustergroup/templates/_helpers.tpl +++ /dev/null @@ -1,240 +0,0 @@ -{{/* -Default always defined top-level variables for helm charts -*/}} -{{- define "clustergroup.app.globalvalues.helmparameters" -}} -- name: global.repoURL - value: {{ $.Values.global.repoURL }} -- name: global.targetRevision - value: {{ $.Values.global.targetRevision }} -- name: global.namespace - value: $ARGOCD_APP_NAMESPACE -- name: global.pattern - value: {{ $.Values.global.pattern }} -- name: global.clusterDomain - value: {{ $.Values.global.clusterDomain }} -- name: global.clusterVersion - value: "{{ $.Values.global.clusterVersion }}" -- name: global.clusterPlatform - value: "{{ $.Values.global.clusterPlatform }}" -- name: global.hubClusterDomain - value: {{ $.Values.global.hubClusterDomain }} -- name: global.multiSourceSupport - value: {{ $.Values.global.multiSourceSupport | quote }} -- name: global.multiSourceRepoUrl - value: {{ $.Values.global.multiSourceRepoUrl }} -- name: global.multiSourceTargetRevision - value: {{ $.Values.global.multiSourceTargetRevision }} -- name: global.localClusterDomain - value: {{ coalesce $.Values.global.localClusterDomain $.Values.global.hubClusterDomain }} -- name: global.privateRepo - value: {{ $.Values.global.privateRepo | quote }} -- name: global.experimentalCapabilities - value: {{ $.Values.global.experimentalCapabilities | default "" }} -{{- end }} {{/* clustergroup.globalvaluesparameters */}} - - -{{/* -Default always defined valueFiles to be included in Applications -*/}} -{{- define "clustergroup.app.globalvalues.valuefiles" -}} -- "/values-global.yaml" -- "/values-{{ $.Values.clusterGroup.name }}.yaml" -{{- if $.Values.global.clusterPlatform }} -- "/values-{{ $.Values.global.clusterPlatform }}.yaml" - {{- if $.Values.global.clusterVersion }} -- "/values-{{ $.Values.global.clusterPlatform }}-{{ $.Values.global.clusterVersion }}.yaml" - {{- end }} -- "/values-{{ $.Values.global.clusterPlatform }}-{{ $.Values.clusterGroup.name }}.yaml" -{{- end }} -{{- if $.Values.global.clusterVersion }} -- "/values-{{ $.Values.global.clusterVersion }}-{{ $.Values.clusterGroup.name }}.yaml" -{{- end }} -{{- if $.Values.global.extraValueFiles }} -{{- range $.Values.global.extraValueFiles }} -- {{ . | quote }} -{{- end }} {{/* range $.Values.global.extraValueFiles */}} -{{- end }} {{/* if $.Values.global.extraValueFiles */}} -{{- end }} {{/* clustergroup.app.globalvalues.valuefiles */}} - -{{/* -Default always defined valueFiles to be included in Applications but with a prefix called $patternref -*/}} -{{- define "clustergroup.app.globalvalues.prefixedvaluefiles" -}} -- "$patternref/values-global.yaml" -- "$patternref/values-{{ $.Values.clusterGroup.name }}.yaml" -{{- if $.Values.global.clusterPlatform }} -- "$patternref/values-{{ $.Values.global.clusterPlatform }}.yaml" - {{- if $.Values.global.clusterVersion }} -- "$patternref/values-{{ $.Values.global.clusterPlatform }}-{{ $.Values.global.clusterVersion }}.yaml" - {{- end }} -- "$patternref/values-{{ $.Values.global.clusterPlatform }}-{{ $.Values.clusterGroup.name }}.yaml" -{{- end }} -{{- if $.Values.global.clusterVersion }} -- "$patternref/values-{{ $.Values.global.clusterVersion }}-{{ $.Values.clusterGroup.name }}.yaml" -{{- end }} -{{- if $.Values.global.extraValueFiles }} -{{- range $.Values.global.extraValueFiles }} -- "$patternref/{{ . }}" -{{- end }} {{/* range $.Values.global.extraValueFiles */}} -{{- end }} {{/* if $.Values.global.extraValueFiles */}} -{{- end }} {{/* clustergroup.app.globalvalues.prefixedvaluefiles */}} - -{{/* -Helper function to generate AppProject from a map object -Called from common/clustergroup/templates/plumbing/projects.yaml -*/}} -{{- define "clustergroup.template.plumbing.projects.map" -}} -{{- $projects := index . 0 }} -{{- $namespace := index . 1 }} -{{- $enabled := index . 2 }} -{{- range $k, $v := $projects}} -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: {{ $k }} -{{- if (eq $enabled "plumbing") }} - namespace: openshift-gitops -{{- else }} - namespace: {{ $namespace }} -{{- end }} -spec: - description: "Pattern {{ . }}" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -{{- end }} -{{- end }} - -{{/* - Helper function to generate AppProject from a list object. - Called from common/clustergroup/templates/plumbing/projects.yaml -*/}} -{{- define "clustergroup.template.plumbing.projects.list" -}} -{{- $projects := index . 0 }} -{{- $namespace := index . 1 }} -{{- $enabled := index . 2 }} -{{- range $projects}} -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: {{ . }} -{{- if (eq $enabled "plumbing") }} - namespace: openshift-gitops -{{- else }} - namespace: {{ $namespace }} -{{- end }} -spec: - description: "Pattern {{ . }}" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} -{{- end }} -{{- end }} - -{{/* - Helper function to generate Namespaces from a map object. - Arguments passed as a list object are: - 0 - The namespace hash keys - 1 - Pattern name from .Values.global.pattern - 2 - Cluster group name from .Values.clusterGroup.name - Called from common/clustergroup/templates/core/namespaces.yaml -*/}} -{{- define "clustergroup.template.core.namespaces.map" -}} -{{- $ns := index . 0 }} -{{- $patternName := index . 1 }} -{{- $clusterGroupName := index . 2 }} - -{{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} -apiVersion: v1 -kind: Namespace -metadata: - name: {{ $k }} - {{- if ne $v nil }} - labels: - argocd.argoproj.io/managed-by: {{ $patternName }}-{{ $clusterGroupName }} - {{- if $v.labels }} - {{- range $key, $value := $v.labels }} {{- /* We loop here even though the map has always just one key */}} - {{ $key }}: {{ $value | default "" | quote }} - {{- end }} - {{- end }} - {{- if $v.annotations }} - annotations: - {{- range $key, $value := $v.annotations }} {{- /* We loop through the map to get key/value pairs */}} - {{ $key }}: {{ $value | default "" | quote }} - {{- end }} - {{- end }}{{- /* if $v.annotations */}} - {{- end }} -spec: ---- -{{- end }}{{- /* range $k, $v := $ns */}} -{{- end }} - -{{- /* - Helper function to generate OperatorGroup from a map object. - Arguments passed as a list object are: - 0 - The namespace hash keys - 1 - The operatorExcludes section from .Values.clusterGroup.operatorgroupExcludes - Called from common/clustergroup/templates/core/operatorgroup.yaml -*/ -}} -{{- define "clustergroup.template.core.operatorgroup.map" -}} -{{- $ns := index . 0 }} -{{- $operatorgroupExcludes := index . 1 }} -{{- if or (empty $operatorgroupExcludes) (not (has . $operatorgroupExcludes)) }} - {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} - {{- if $v }} - {{- if or $v.operatorGroup (not (hasKey $v "operatorGroup")) }}{{- /* Checks if the user sets operatorGroup: false */}} ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: {{ $k }}-operator-group - namespace: {{ $k }} - {{- if (hasKey $v "targetNamespaces") }} - {{- if $v.targetNamespaces }} - {{- if (len $v.targetNamespaces) }} -spec: - targetNamespaces: - {{- range $v.targetNamespaces }}{{- /* We loop through the list of tergetnamespaces */}} - - {{ . }} - {{- end }}{{- /* End range targetNamespaces */}} - {{- end }}{{- /* End if (len $v.targetNamespaces) */}} - {{- end }}{{- /* End $v.targetNamespaces */}} - {{- else }} -spec: - targetNamespaces: - - {{ $k }} - {{- end }}{{- /* End of if hasKey $v "targetNamespaces" */}} - {{- end }}{{- /* End if $v.operatorGroup */}} - {{- else }}{{- /* else if $v == nil */}} ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: {{ $k }}-operator-group - namespace: {{ $k }} -spec: - targetNamespaces: - - {{ $k }} - {{- end }}{{- /* end if $v */}} - {{- end }}{{- /* End range $k, $v = $ns */}} -{{- end }}{{- /* End of if operatorGroupExcludes */}} -{{- end }} {{- /* End define "clustergroup.template.core.operatorgroup.map" */}} diff --git a/common/clustergroup/templates/core/catalog-sources.yaml b/common/clustergroup/templates/core/catalog-sources.yaml deleted file mode 100644 index 73c2e949..00000000 --- a/common/clustergroup/templates/core/catalog-sources.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{- range .Values.clusterGroup.indexImages }} -{{- $name := mustRegexReplaceAll "[^/]*/(.*):.*" .image "${1}" | replace "/" "-" }} -apiVersion: operators.coreos.com/v1alpha1 -kind: CatalogSource -metadata: - name: {{ coalesce .name $name }} - namespace: openshift-marketplace -spec: - sourceType: grpc - image: {{ .image }} ---- -{{- end -}} -{{- end -}} diff --git a/common/clustergroup/templates/core/namespaces.yaml b/common/clustergroup/templates/core/namespaces.yaml deleted file mode 100644 index c9a26afb..00000000 --- a/common/clustergroup/templates/core/namespaces.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{- /* - We first check if namespaces are defined as a map. If it is we call - our helper function in _helpers.tpl to process the namespaces - described in the values file. This is to support issue - https://github.com/validatedpatterns/common/issues/459 created by our customer. -*/ -}} -{{- if kindIs "map" .Values.clusterGroup.namespaces }} -{{- template "clustergroup.template.core.namespaces.map" (list .Values.clusterGroup.namespaces $.Values.global.pattern $.Values.clusterGroup.name) }} -{{- else }} -{{- range $ns := .Values.clusterGroup.namespaces }} -apiVersion: v1 -kind: Namespace -metadata: - {{- if kindIs "map" $ns }} - {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} - name: {{ $k }} - labels: - argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }} - {{- if $v.labels }} - {{- range $key, $value := $v.labels }} {{- /* We loop here even though the map has always just one key */}} - {{ $key }}: {{ $value | default "" | quote }} - {{- end }} - {{- end }} - {{- if $v.annotations }} - annotations: - {{- range $key, $value := $v.annotations }} {{- /* We loop through the map to get key/value pairs */}} - {{ $key }}: {{ $value | default "" | quote }} - {{- end }} - {{- end }}{{- /* if $v.annotations */}} - {{- end }}{{- /* range $k, $v := $ns */}} - - {{- else if kindIs "string" $ns }} - labels: - argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }} - name: {{ $ns }} - {{- end }} {{- /* if kindIs "string" $ns */}} -spec: ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/common/clustergroup/templates/core/nodes.yaml b/common/clustergroup/templates/core/nodes.yaml deleted file mode 100644 index 5106447d..00000000 --- a/common/clustergroup/templates/core/nodes.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{- range $node := .Values.clusterGroup.nodes }} -apiVersion: v1 -kind: Node -metadata: - {{- range $k, $v := $node }} - name: {{ $k }} - labels: - argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }} - {{- if $v.labels }} - {{- range $key, $value := $v.labels }} - {{ $key }}: {{ $value | default "" | quote }} - {{- end }} - {{- end }} - - {{- if $v.annotations }} - annotations: - {{- range $key, $value := $v.annotations }} - {{ $key }}: {{ $value | default "" | quote }} - {{- end }} - {{- end }}{{- /* if $v.annotations */}} - {{- end }}{{- /* range $k, $v := $node */}} ---- -{{- end -}} -{{- end -}} diff --git a/common/clustergroup/templates/core/operatorgroup.yaml b/common/clustergroup/templates/core/operatorgroup.yaml deleted file mode 100644 index 6adfef47..00000000 --- a/common/clustergroup/templates/core/operatorgroup.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{- /* - We first check if namespaces are defined as a map. If it is we call - our helper function in _helpers.tpl to process the projects - described in the values file. This is to support issue - https://github.com/validatedpatterns/common/issues/459 created by our customer. -*/ -}} -{{- if kindIs "map" .Values.clusterGroup.namespaces }} -{{- template "clustergroup.template.core.operatorgroup.map" (list .Values.clusterGroup.namespaces .Values.clusterGroup.operatorgroupExcludes) }} -{{- else }} -{{- range $ns := .Values.clusterGroup.namespaces }} - -{{- if or (empty $.Values.clusterGroup.operatorgroupExcludes) (not (has . $.Values.clusterGroup.operatorgroupExcludes)) }} - - {{- if kindIs "map" $ns }} - {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} - {{- if $v.operatorGroup }}{{- /* Checks if the user sets operatorGroup: false */}} ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: {{ $k }}-operator-group - namespace: {{ $k }} - {{- if (hasKey $v "targetNamespaces") }} - {{- if $v.targetNamespaces }} -spec: - targetNamespaces: - {{- range $v.targetNamespaces }}{{- /* We loop through the list of tergetnamespaces */}} - - {{ . }} - {{- end }}{{- /* End range targetNamespaces */}} - {{- end }}{{- /* End if $v.targetNamespaces */}} - {{- else }} -spec: - targetNamespaces: - - {{ $k }} - {{- end }}{{- /* End of if (hasKey $v "targetNamespaces") */}} - {{- end }}{{- /* range $k, $v := $ns */}} - {{- end }}{{- /* End of if operatorGroup */}} - {{- else if kindIs "string" $ns }} ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: {{ . }}-operator-group - namespace: {{ . }} -spec: - targetNamespaces: - - {{ . }} - {{- end }} {{- /* if kindIs "string" $ns */}} ---- -{{- end }} {{- /* if or (empty $.Values.clusterGroup.operatorgroupExcludes) (not (has . $.Values.clusterGroup.operatorgroupExcludes)) */}} -{{- end }} {{- /* range $ns := .Values.clusterGroup.namespaces */}} -{{- end }} {{- /* if kindIs "map" $ns */}} -{{- end }} {{- /* if not (eq .Values.enabled "plumbing") */}} diff --git a/common/clustergroup/templates/core/scheduler.yaml b/common/clustergroup/templates/core/scheduler.yaml deleted file mode 100644 index 5061065e..00000000 --- a/common/clustergroup/templates/core/scheduler.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{- if hasKey .Values.clusterGroup "scheduler" }} -apiVersion: config.openshift.io/v1 -kind: Scheduler -metadata: - name: cluster -spec: -{{- toYaml .Values.clusterGroup.scheduler | nindent 2 }} -{{- end -}} -{{- end -}} - diff --git a/common/clustergroup/templates/core/subscriptions.yaml b/common/clustergroup/templates/core/subscriptions.yaml deleted file mode 100644 index f58f6c28..00000000 --- a/common/clustergroup/templates/core/subscriptions.yaml +++ /dev/null @@ -1,73 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{- range .Values.clusterGroup.subscriptions }} -{{- $subs := . }} -{{- $installPlanValue := .installPlanApproval }} - -{{- if $subs.namespaces }} -{{- if not $subs.disabled }} -{{- range .namespaces }} -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: {{ $subs.name }} - namespace: {{ . }} -spec: - name: {{ $subs.name }} - source: {{ default "redhat-operators" $subs.source }} - sourceNamespace: {{ default "openshift-marketplace" $subs.sourceNamespace }} - {{- if $subs.channel }} - channel: {{ $subs.channel }} - {{- end }} - installPlanApproval: {{ coalesce $installPlanValue $.Values.global.options.installPlanApproval }} - {{- if $subs.config }} - {{- if $subs.config.env }} - config: - env: - {{- range $subs.config.env }} - - name: {{ .name }} - value: {{ .value }} - {{- end }} - {{- end }} - {{- end }} - {{- if $.Values.global.options.useCSV }} - startingCSV: {{ $subs.csv }} - {{- else if $subs.csv }} - startingCSV: {{ $subs.csv }} - {{- end }} ---- -{{- end }} -{{- end }} -{{- else if not $subs.disabled }} -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: {{ $subs.name }} - namespace: {{ default "openshift-operators" $subs.namespace }} -spec: - name: {{ $subs.name }} - source: {{ default "redhat-operators" $subs.source }} - sourceNamespace: {{ default "openshift-marketplace" $subs.sourceNamespace }} - {{- if $subs.channel }} - channel: {{ $subs.channel }} - {{- end }} - installPlanApproval: {{ coalesce $installPlanValue $.Values.global.options.installPlanApproval }} - {{- if $subs.config }} - {{- if $subs.config.env }} - config: - env: - {{- range $subs.config.env }} - - name: {{ .name }} - value: {{ .value }} - {{- end }} - {{- end }} - {{- end }} - {{- if $.Values.global.options.useCSV }} - startingCSV: {{ $subs.csv }} - {{- else if $subs.csv }} - startingCSV: {{ $subs.csv }} - {{- end }} ---- -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/common/clustergroup/templates/imperative/_helpers.tpl b/common/clustergroup/templates/imperative/_helpers.tpl deleted file mode 100644 index 88538f88..00000000 --- a/common/clustergroup/templates/imperative/_helpers.tpl +++ /dev/null @@ -1,125 +0,0 @@ -# Pseudo-code -# 1. Get the pattern's CR -# 2. If there is a secret called vp-private-repo-credentials in the current namespace, fetch it -# 3. If it is an http secret, generate the correct URL -# 4. If it is an ssh secret, create the private ssh key and make sure the git clone works - -{{/* fetch-ca InitContainer */}} -{{- define "imperative.initcontainers.fetch-ca" }} -- name: fetch-ca - image: {{ $.Values.clusterGroup.imperative.image }} - imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }} - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles -{{- end }} - -{{/* git-init-ca InitContainer */}} -{{- define "imperative.initcontainers.gitinit-ca" }} -- name: git-init - image: {{ $.Values.clusterGroup.imperative.image }} - imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }} - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="{{ $.Values.global.repoURL }}"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode}}` }}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.username | base64decode }}` }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.password | base64decode }}` }}')"; - URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode }}` }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "{{ $.Values.global.targetRevision }}" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch {{ $.Values.global.targetRevision }}"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; -{{- end }} -{{/* Final done container */}} -{{- define "imperative.containers.done" }} -- name: "done" - image: {{ $.Values.clusterGroup.imperative.image }} - imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }} - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' -{{- end }} - -{{/* volume-mounts for all containers */}} -{{- define "imperative.volumemounts_ca" }} -- name: git - mountPath: "/git" -- name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml -- mountPath: /var/run/kube-root-ca - name: kube-root-ca -- mountPath: /var/run/trusted-ca - name: trusted-ca-bundle -- mountPath: /var/run/trusted-hub - name: trusted-hub-bundle -- mountPath: /tmp/ca-bundles - name: ca-bundles -{{- end }} - -{{- define "imperative.volumes_ca" }} -- name: git - emptyDir: {} -- name: values-volume - configMap: - name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }} -- configMap: - name: kube-root-ca.crt - name: kube-root-ca -- configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle -- configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle -- name: ca-bundles - emptyDir: {} -{{- end }} diff --git a/common/clustergroup/templates/imperative/auto-approve-installplans.yaml b/common/clustergroup/templates/imperative/auto-approve-installplans.yaml deleted file mode 100644 index 7b935e77..00000000 --- a/common/clustergroup/templates/imperative/auto-approve-installplans.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{- if $.Values.global.options.autoApproveManualInstallPlans }} ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: auto-approve-installplans-cronjob - namespace: {{ $.Values.clusterGroup.imperative.namespace}} -spec: - schedule: "*/5 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: {{ $.Values.clusterGroup.imperative.activeDeadlineSeconds }} - template: - metadata: - name: auto-approve-installplans-job - spec: - serviceAccountName: {{ $.Values.clusterGroup.imperative.adminServiceAccountName }} - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - {{- include "imperative.initcontainers.fetch-ca" . | indent 12 }} - {{- include "imperative.initcontainers.gitinit-ca" . | indent 12 }} - - name: auto-approve-installplans - image: {{ $.Values.clusterGroup.imperative.image }} - imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }} - env: - - name: HOME - value: /git/home - workingDir: /git/repo - command: - - timeout - - {{ .timeout | default "600" | quote }} - - ansible-playbook - {{- if $.Values.clusterGroup.imperative.verbosity }} - - {{ $.Values.clusterGroup.imperative.verbosity }} - {{- end }} - - -e - - "@/values/values.yaml" - - common/ansible/playbooks/auto-approve-installplans/auto-approve-installplans.yaml - volumeMounts: - {{- include "imperative.volumemounts_ca" . | indent 16 }} - containers: - {{- include "imperative.containers.done" . | indent 12 }} - volumes: - {{- include "imperative.volumes_ca" . | indent 12 }} - restartPolicy: Never -{{- end }} diff --git a/common/clustergroup/templates/imperative/clusterrole.yaml b/common/clustergroup/templates/imperative/clusterrole.yaml deleted file mode 100644 index 0ad8ff64..00000000 --- a/common/clustergroup/templates/imperative/clusterrole.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{/* This is always defined as we always unseal the cluster with an imperative job */}} -{{- if $.Values.clusterGroup.imperative.serviceAccountCreate }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ $.Values.clusterGroup.imperative.clusterRoleName }} -rules: -{{- if $.Values.clusterGroup.imperative.clusterRoleYaml -}} - {{ toYaml $.Values.clusterGroup.imperative.clusterRoleYaml | nindent 2 }} -{{- else }} - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch -{{- end }} -{{- end }} {{/* if $.Values.clusterGroup.imperative.serviceAccountCreate */}} -{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ $.Values.clusterGroup.imperative.adminClusterRoleName }} -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' -{{- end }} {{/* if $.Values.clusterGroup.imperative.adminServiceAccountCreate */}} -{{- end }} diff --git a/common/clustergroup/templates/imperative/configmap.yaml b/common/clustergroup/templates/imperative/configmap.yaml deleted file mode 100644 index 9f2d6155..00000000 --- a/common/clustergroup/templates/imperative/configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{/* This is always defined as we always unseal the cluster with an imperative job */}} -{{- $valuesyaml := toYaml $.Values -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }} - namespace: {{ $.Values.clusterGroup.imperative.namespace}} -data: - values.yaml: | -{{ tpl $valuesyaml . | indent 4 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: trusted-ca-bundle - namespace: {{ $.Values.clusterGroup.imperative.namespace}} - annotations: - labels: - config.openshift.io/inject-trusted-cabundle: 'true' -{{- end }} diff --git a/common/clustergroup/templates/imperative/job.yaml b/common/clustergroup/templates/imperative/job.yaml deleted file mode 100644 index 55400e8c..00000000 --- a/common/clustergroup/templates/imperative/job.yaml +++ /dev/null @@ -1,66 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{/* Define this if needed (jobs defined */}} -{{- if (and $.Values.clusterGroup.imperative (gt (len $.Values.clusterGroup.imperative.jobs) 0)) -}} ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ $.Values.clusterGroup.imperative.cronJobName }} - namespace: {{ $.Values.clusterGroup.imperative.namespace}} -spec: - schedule: {{ $.Values.clusterGroup.imperative.schedule | quote }} - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: {{ $.Values.clusterGroup.imperative.activeDeadlineSeconds }} - template: - metadata: - name: {{ $.Values.clusterGroup.imperative.jobName }} - spec: - serviceAccountName: {{ $.Values.clusterGroup.imperative.serviceAccountName }} - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - {{- include "imperative.initcontainers.fetch-ca" . | indent 12 }} - {{- include "imperative.initcontainers.gitinit-ca" . | indent 12 }} - {{- range $.Values.clusterGroup.imperative.jobs }} - {{- if ne (.disabled | default "false" | toString | lower ) "true" }} - - name: {{ .name }} - image: {{ .image | default $.Values.clusterGroup.imperative.image }} - imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }} - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - {{ .timeout | default "600" | quote }} - - ansible-playbook - {{- if .verbosity }} - - {{ .verbosity }} - {{- end }} - {{- if .tags }} - - -t - - {{ .tags }} - {{- end }} - - -e - - "@/values/values.yaml" - {{- range .extravars }} - - -e - - {{ . | quote }} - {{- end }} - - {{ .playbook }} - volumeMounts: - {{- include "imperative.volumemounts_ca" . | indent 16 }} - {{- end }} - {{- end }} - containers: - {{- include "imperative.containers.done" . | indent 12 }} - volumes: - {{- include "imperative.volumes_ca" . | indent 12 }} - restartPolicy: Never -{{- end }} -{{- end }} diff --git a/common/clustergroup/templates/imperative/namespace.yaml b/common/clustergroup/templates/imperative/namespace.yaml deleted file mode 100644 index ee7b8adb..00000000 --- a/common/clustergroup/templates/imperative/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{/* This is always defined as we always unseal the cluster with an imperative job */}} -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: {{ $.Values.clusterGroup.imperative.namespace }} - argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }} - name: {{ $.Values.clusterGroup.imperative.namespace }} -{{- end }} diff --git a/common/clustergroup/templates/imperative/rbac.yaml b/common/clustergroup/templates/imperative/rbac.yaml deleted file mode 100644 index 8bfad5b3..00000000 --- a/common/clustergroup/templates/imperative/rbac.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{/* This is always defined as we always unseal the cluster with an imperative job */}} -{{- if $.Values.clusterGroup.imperative.serviceAccountCreate -}} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ $.Values.clusterGroup.imperative.namespace }}-cluster-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ $.Values.clusterGroup.imperative.clusterRoleName }} -subjects: - - kind: ServiceAccount - name: {{ $.Values.clusterGroup.imperative.serviceAccountName }} - namespace: {{ $.Values.clusterGroup.imperative.namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $.Values.clusterGroup.imperative.namespace }}-rolebinding - namespace: {{ $.Values.clusterGroup.imperative.namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $.Values.clusterGroup.imperative.roleName }} -subjects: - - kind: ServiceAccount - name: {{ $.Values.clusterGroup.imperative.serviceAccountName }} - namespace: {{ $.Values.clusterGroup.imperative.namespace }} -{{- end }} -{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ $.Values.clusterGroup.imperative.namespace }}-admin-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ $.Values.clusterGroup.imperative.adminClusterRoleName }} -subjects: - - kind: ServiceAccount - name: {{ $.Values.clusterGroup.imperative.adminServiceAccountName }} - namespace: {{ $.Values.clusterGroup.imperative.namespace }} -{{- end }} -{{- end }} diff --git a/common/clustergroup/templates/imperative/role.yaml b/common/clustergroup/templates/imperative/role.yaml deleted file mode 100644 index 63ad37d1..00000000 --- a/common/clustergroup/templates/imperative/role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{/* This is always defined as we always unseal the cluster with an imperative job */}} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $.Values.clusterGroup.imperative.roleName }} - namespace: {{ $.Values.clusterGroup.imperative.namespace }} -rules: -{{- if $.Values.clusterGroup.imperative.roleYaml -}} - {{ toYaml $.Values.clusterGroup.imperative.roleYaml | nindent 2 }} -{{- else }} - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' -{{- end }} -{{- end }} diff --git a/common/clustergroup/templates/imperative/serviceaccount.yaml b/common/clustergroup/templates/imperative/serviceaccount.yaml deleted file mode 100644 index a171d300..00000000 --- a/common/clustergroup/templates/imperative/serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -{{/* This is always defined as we always unseal the cluster with an imperative job */}} -{{- if $.Values.clusterGroup.imperative.serviceAccountCreate }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ $.Values.clusterGroup.imperative.serviceAccountName }} - namespace: {{ $.Values.clusterGroup.imperative.namespace }} -{{- end }} -{{- if $.Values.clusterGroup.imperative.adminServiceAccountCreate }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ $.Values.clusterGroup.imperative.adminServiceAccountName }} - namespace: {{ $.Values.clusterGroup.imperative.namespace }} -{{- end }} -{{- end }} diff --git a/common/clustergroup/templates/imperative/unsealjob.yaml b/common/clustergroup/templates/imperative/unsealjob.yaml deleted file mode 100644 index a7553da8..00000000 --- a/common/clustergroup/templates/imperative/unsealjob.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{/* If the backend is not set at all we default to "vault". See https://www.github.com/helm/helm/issues/3308 - why we avoid using the default function */}} -{{- if or (eq .Values.global.secretStore.backend "vault") (not (hasKey .Values.global.secretStore "backend")) }} -{{- if not (eq .Values.enabled "plumbing") }} -{{- if $.Values.clusterGroup.isHubCluster }} ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: unsealvault-cronjob - namespace: {{ $.Values.clusterGroup.imperative.namespace}} -spec: - schedule: {{ $.Values.clusterGroup.imperative.insecureUnsealVaultInsideClusterSchedule | quote }} - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: {{ $.Values.clusterGroup.imperative.activeDeadlineSeconds }} - template: - metadata: - name: unsealvault-job - spec: - serviceAccountName: {{ $.Values.clusterGroup.imperative.serviceAccountName }} - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - {{- include "imperative.initcontainers.fetch-ca" . | indent 12 }} - {{- include "imperative.initcontainers.gitinit-ca" . | indent 12 }} - - name: unseal-playbook - image: {{ $.Values.clusterGroup.imperative.image }} - imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }} - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - {{ .timeout | default "600" | quote }} - - ansible-playbook - {{- if $.Values.clusterGroup.imperative.verbosity }} - - {{ $.Values.clusterGroup.imperative.verbosity }} - {{- end }} - - -e - - "@/values/values.yaml" - - -t - - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init' - - "common/ansible/playbooks/vault/vault.yaml" - volumeMounts: - {{- include "imperative.volumemounts_ca" . | indent 16 }} - containers: - {{- include "imperative.containers.done" . | indent 12 }} - volumes: - {{- include "imperative.volumes_ca" . | indent 12 }} - restartPolicy: Never -{{- end }} -{{- end }} -{{- end }} diff --git a/common/clustergroup/templates/plumbing/applications.yaml b/common/clustergroup/templates/plumbing/applications.yaml deleted file mode 100644 index 0b9f4eda..00000000 --- a/common/clustergroup/templates/plumbing/applications.yaml +++ /dev/null @@ -1,296 +0,0 @@ -{{- if not (eq .Values.enabled "core") }} -{{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }} -{{- if (eq .Values.enabled "plumbing") }} -{{- $namespace = "openshift-gitops" }} -{{- end }} -{{- range .Values.clusterGroup.applications }} -{{- if .disabled }} {{- /* This allows us to null out an Application entry by specifying disabled: true in an override file */}} -{{- else if or (.generators) (.generatorFile) (.useGeneratorValues) (.destinationServer) (.destinationNamespace) }} -apiVersion: argoproj.io/v1alpha1 -kind: ApplicationSet -metadata: - name: {{ .name }} - namespace: {{ $namespace }} - labels: - app: {{ .name }} -spec: - {{- if .generators }} - generators: {{ .generators | toPrettyJson }} - {{- else }} - generators: - - git: - repoURL: {{ $.Values.global.repoURL }} - revision: {{ $.Values.global.targetRevision }} - {{- if .generatorFile }} - files: - - path: {{ .generatorFile | quote }} - {{- end }} - {{- end }} - template: - metadata: - name: {{ coalesce .namespace $namespace }} - spec: - project: {{ .project }} - {{- if .syncPolicy }} - syncPolicy: {{ .syncPolicy | toPrettyJson }} - {{- else }} - syncPolicy: - automated: {} - retry: - limit: {{ default 20 $.Values.global.options.applicationRetryLimit }} - {{- end }} - {{- if .ignoreDifferences }} - ignoreDifferences: {{ .ignoreDifferences | toPrettyJson | nindent 2 }} - {{- end }} - source: - repoURL: {{ coalesce .repoURL $.Values.global.repoURL }} - targetRevision: {{ coalesce .targetRevision $.Values.global.targetRevision }} - {{- if .chart }} - chart: {{ .chart }} - {{- end }} - {{- if .path }} - path: {{ .path }} - {{- end }} - {{- if .plugin }} - plugin: {{ .plugin | toPrettyJson }} - {{- end }} - {{- if not .kustomize }} - helm: - ignoreMissingValueFiles: true - valueFiles: - {{- include "clustergroup.app.globalvalues.valuefiles" $ | nindent 12 }} - {{- range $valueFile := $.Values.clusterGroup.sharedValueFiles }} - - {{ tpl $valueFile $ | quote }} - {{- end }} - {{- range $valueFile := .extraValueFiles }} - - {{ tpl $valueFile $ | quote }} - {{- end }} - {{- if .useGeneratorValues }} - values: |- - {{ `{{ values }}` }} - {{- end }} - parameters: - {{- include "clustergroup.app.globalvalues.helmparameters" $ | nindent 12 }} - - name: global.repoURL - value: {{ $.Values.global.repoURL }} - - name: global.targetRevision - value: {{ $.Values.global.targetRevision }} - - name: global.namespace - value: {{ $.Values.global.namespace }} - - name: clusterGroup.name - value: {{ $.Values.clusterGroup.name }} - {{- range .extraHubClusterDomainFields }} - - name: {{ . }} - value: {{ $.Values.global.hubClusterDomain }} - {{- end }} - {{- range .extraLocalClusterDomainFields }} - - name: {{ . }} - value: {{ $.Values.global.localClusterDomain }} - {{- end }} - {{- range .extraRepoURLFields }} - - name: {{ . }} - value: {{ $.Values.global.repoURL }} - {{- end }} - {{- range .extraTargetRevisionFields }} - - name: {{ . }} - value: {{ $.Values.global.targetRevision }} - {{- end }} - {{- range .extraNamespaceFields }} - - name: {{ . }} - value: {{ $.Values.global.namespace }} - {{- end }} - {{- range .extraPatternNameFields }} - - name: {{ . }} - value: {{ $.Values.global.pattern }} - {{- end }} - {{- range $k, $v := $.Values.extraParametersNested }} - - name: {{ $k }} - value: {{ printf "%s" $v | quote }} - {{- end }} - {{- range .overrides }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- if .forceString }} - forceString: true - {{- end }} - {{- end }} - {{- end }} - destination: - server: {{ coalesce .destinationServer "https://kubernetes.default.svc" }} - namespace: {{ coalesce .destinationNamespace .namespace $namespace }} -{{- else }} ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: {{ .name }} - namespace: {{ $namespace }} - labels: - validatedpatterns.io/pattern: {{ $.Values.global.pattern }} - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: {{ $.Values.clusterGroup.targetCluster }} - namespace: {{ default $namespace .namespace }} - project: {{ .project }} - {{- if and .chart .chartVersion }} {{- /* if .chartVersion is set *and* .repoURL is undefined we assume this is a multisource app */}} - sources: - - repoURL: {{ coalesce .repoURL $.Values.global.repoURL }} - {{- /* We do not allow overriding the values with .targetRevision because when we use .targetRevision in a chart to specify the helm - chart, that revision (e.g. 0.0.1) won't exist in the git tree. So here we simply always take the pattern's git branch/commit */}} - targetRevision: {{ $.Values.global.targetRevision }} - ref: patternref - - repoURL: {{ coalesce .repoURL $.Values.global.multiSourceRepoUrl }} - chart: {{ .chart }} - targetRevision: {{ .chartVersion }} - {{- if .plugin }} - plugin: {{ .plugin | toPrettyJson }} - {{- else }} - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - {{- range $k, $v := $.Values.extraParametersNested }} - {{ $k }}: {{ printf "%s" $v | quote }} - {{- end }} - valueFiles: - {{- include "clustergroup.app.globalvalues.prefixedvaluefiles" $ | nindent 8 }} - {{- range $valueFile := $.Values.clusterGroup.sharedValueFiles }} - - {{ tpl $valueFile $ | quote }} - {{- end }} - {{- range $valueFile := .extraValueFiles }} - - {{ tpl $valueFile $ | quote }} - {{- end }} - parameters: - {{- include "clustergroup.app.globalvalues.helmparameters" $ | nindent 8 }} - {{- range .extraHubClusterDomainFields }} - - name: {{ . }} - value: {{ $.Values.global.hubClusterDomain }} - {{- end }} - {{- range .extraLocalClusterDomainFields }} - - name: {{ . }} - value: {{ $.Values.global.localClusterDomain }} - {{- end }} - {{- range .extraRepoURLFields }} - - name: {{ . }} - value: $ARGOCD_APP_SOURCE_REPO_URL - {{- end }} - {{- range .extraTargetRevisionFields }} - - name: {{ . }} - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - {{- end }} - {{- range .extraNamespaceFields }} - - name: {{ . }} - value: $ARGOCD_APP_NAMESPACE - {{- end }} - {{- range .extraPatternNameFields }} - - name: {{ . }} - value: {{ $.Values.global.pattern }} - {{- end }} - {{- range $k, $v := $.Values.extraParametersNested }} - - name: {{ $k }} - value: {{ printf "%s" $v | quote }} - {{- end }} - {{- range .overrides }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- if .forceString }} - forceString: true - {{- end }} - {{- end }}{{- /* range .overrides */}} - {{- if .fileParameters }} - fileParameters: - {{- range .fileParameters }} - - name: {{ .name }} - path: {{ .path }} - {{- end }} - {{- end }}{{- /* if .fileParameters */}} - {{- end }}{{- /* if .plugin */}} - {{- else }} {{- /* if .chartVersion */}} - source: - repoURL: {{ coalesce .repoURL $.Values.global.repoURL }} - targetRevision: {{ coalesce .targetRevision $.Values.global.targetRevision }} - {{- if .chart }} - chart: {{ .chart }} - {{- else }} - path: {{ .path }} - {{- end }}{{- /* if .chart */}} - {{- if .plugin }} - plugin: {{ .plugin | toPrettyJson }} - {{- else if not .kustomize }} - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - {{- range $k, $v := $.Values.extraParametersNested }} - {{ $k }}: {{ printf "%s" $v | quote }} - {{- end }} - valueFiles: - {{- include "clustergroup.app.globalvalues.valuefiles" $ | nindent 6 }} - {{- range $valueFile := $.Values.clusterGroup.sharedValueFiles }} - - {{ tpl $valueFile $ | quote }} - {{- end }} - {{- range $valueFile := .extraValueFiles }} - - {{ tpl $valueFile $ | quote }} - {{- end }} - parameters: - {{- include "clustergroup.app.globalvalues.helmparameters" $ | nindent 8 }} - {{- range .extraHubClusterDomainFields }} - - name: {{ . }} - value: {{ $.Values.global.hubClusterDomain }} - {{- end }} - {{- range .extraLocalClusterDomainFields }} - - name: {{ . }} - value: {{ $.Values.global.localClusterDomain }} - {{- end }} - {{- range .extraRepoURLFields }} - - name: {{ . }} - value: $ARGOCD_APP_SOURCE_REPO_URL - {{- end }} - {{- range .extraTargetRevisionFields }} - - name: {{ . }} - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - {{- end }} - {{- range .extraNamespaceFields }} - - name: {{ . }} - value: $ARGOCD_APP_NAMESPACE - {{- end }} - {{- range .extraPatternNameFields }} - - name: {{ . }} - value: {{ $.Values.global.pattern }} - {{- end }} - {{- range $k, $v := $.Values.extraParametersNested }} - - name: {{ $k }} - value: {{ printf "%s" $v | quote }} - {{- end }} - {{- range .overrides }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- if .forceString }} - forceString: true - {{- end }} - {{- end }}{{- /* range .overrides */}} - {{- if .fileParameters }} - fileParameters: - {{- range .fileParameters }} - - name: {{ .name }} - path: {{ .path }} - {{- end }}{{- /* range .fileParameters */}} - {{- end }}{{- /* if .fileParameters */}} - {{- end }}{{- /* if .plugin */}} - {{- end }}{{- /* if .chartVersion */}} - {{- if .ignoreDifferences }} - ignoreDifferences: {{ .ignoreDifferences | toPrettyJson }} - {{- end }} - {{- if .syncPolicy }} - syncPolicy: {{ .syncPolicy | toPrettyJson }} - {{- else }} - syncPolicy: - automated: {} - retry: - limit: {{ default 20 $.Values.global.applicationRetryLimit }} - {{- end }}{{- /* .syncPolicy */}} -{{- end }}{{- /* if or (.generators) (.generatorFile) (.useGeneratorValues) (.destinationServer) (.destinationNamespace) */}} -{{- end }}{{- /* range .Values.clusterGroup.applications */}} -{{- end }}{{- /* if not (eq .Values.enabled "core") */}} diff --git a/common/clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml b/common/clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml deleted file mode 100644 index 6f86c316..00000000 --- a/common/clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- range $cmp := $.Values.clusterGroup.argoCD.configManagementPlugins }} -{{- if $cmp.pluginConfig }} ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: "argocd-cmp-{{ $cmp.name }}" - namespace: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }} -data: - "plugin.yaml": | {{ tpl $cmp.pluginConfig $ | nindent 4 }} -{{- end }} -{{- end }} diff --git a/common/clustergroup/templates/plumbing/argocd-super-role.yaml b/common/clustergroup/templates/plumbing/argocd-super-role.yaml deleted file mode 100644 index 11366a0b..00000000 --- a/common/clustergroup/templates/plumbing/argocd-super-role.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if (eq .Values.enabled "all") }} -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-gitops-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - name: openshift-gitops-argocd-server - namespace: openshift-gitops ---- -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }}-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-application-controller - name: {{ .Values.clusterGroup.name }}-gitops-argocd-application-controller - namespace: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }} - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-server - name: {{ .Values.clusterGroup.name }}-gitops-argocd-server - namespace: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }} - # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76) - - kind: ServiceAccount - name: {{ .Values.clusterGroup.name }}-gitops-argocd-dex-server - namespace: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }} -{{- end }} diff --git a/common/clustergroup/templates/plumbing/argocd.yaml b/common/clustergroup/templates/plumbing/argocd.yaml deleted file mode 100644 index d7a8f7e3..00000000 --- a/common/clustergroup/templates/plumbing/argocd.yaml +++ /dev/null @@ -1,207 +0,0 @@ - -{{- if (eq .Values.enabled "all") }} -{{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }} -apiVersion: argoproj.io/v1beta1 -kind: ArgoCD -metadata: - finalizers: - - argoproj.io/finalizer - # Changing the name affects the ClusterRoleBinding, the generated secret, - # route URL, and argocd.argoproj.io/managed-by annotations - name: {{ .Values.clusterGroup.name }}-gitops - namespace: {{ $namespace }} - annotations: - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: -# Adding health checks to argocd to prevent pvc resources -# that aren't bound state from blocking deployments - resourceHealthChecks: - - kind: PersistentVolumeClaim - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - - resourceTrackingMethod: {{ $.Values.clusterGroup.argoCD.resourceTrackingMethod}} - applicationInstanceLabelKey: argocd.argoproj.io/instance - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - controller: - processors: {} - resources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: 500m - memory: 2Gi - sso: - provider: dex - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - rbac: - defaultPolicy: role:admin - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true - image: {{ $.Values.clusterGroup.imperative.image }} - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles -{{- if len $.Values.clusterGroup.argoCD.initContainers }} -{{ $.Values.clusterGroup.argoCD.initContainers | toPrettyJson }} -{{- end }} -{{- if len $.Values.clusterGroup.argoCD.configManagementPlugins }} - sidecarContainers: -{{- range $cmp := $.Values.clusterGroup.argoCD.configManagementPlugins }} - - name: {{ $cmp.name }} - command: [/var/run/argocd/argocd-cmp-server] -{{- if $cmp.pluginArgs }} - args: {{ $cmp.pluginArgs | toPrettyJson }} -{{- end }} - image: {{ $cmp.image }} - imagePullPolicy: {{ coalesce $cmp.imagePullPolicy "Always" }} - securityContext: - runAsNonRoot: true - volumeMounts: - - mountPath: /var/run/argocd - name: var-files - - mountPath: /home/argocd/cmp-server/plugins - name: plugins - - mountPath: /tmp - name: cmp-tmp -{{- if $cmp.pluginConfig }} - - mountPath: /home/argocd/cmp-server/config/plugin.yaml - subPath: plugin.yaml - name: {{ $cmp.name }} -{{- end }} -{{- end }} -{{- end }} -{{- if len $.Values.clusterGroup.argoCD.configManagementPlugins }} - volumes: - - emptyDir: {} - name: cmp-tmp -{{- range $cmp := $.Values.clusterGroup.argoCD.configManagementPlugins }} - - configMap: - name: "argocd-cmp-{{ $cmp.name }}" - name: {{ $cmp.name }} -{{- end }} -{{- end }} - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi -{{- if $.Values.clusterGroup.argoCD.resourceExclusions }} - resourceExclusions: {{- $.Values.clusterGroup.argoCD.resourceExclusions | toYaml | indent 2 }} -{{- end }} -{{- if .Values.global.excludeESO }} - - apiGroups: - - external-secrets.io - kinds: - - ExternalSecret -{{- end }} - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - service: - type: "" - tls: - ca: {} -status: ---- -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: {{ .Values.clusterGroup.name }}-gitops-link - namespace: {{ $namespace }} -spec: - applicationMenu: - section: OpenShift GitOps - imageURL:  - href: 'https://{{ .Values.clusterGroup.name }}-gitops-server-{{ $namespace }}.{{ coalesce .Values.global.localClusterDomain .Values.global.hubClusterDomain }}' - location: ApplicationMenu - text: '{{ title .Values.clusterGroup.name }} ArgoCD' -{{- end }} diff --git a/common/clustergroup/templates/plumbing/cluster-external-secrets.yaml b/common/clustergroup/templates/plumbing/cluster-external-secrets.yaml deleted file mode 100644 index 20d6f261..00000000 --- a/common/clustergroup/templates/plumbing/cluster-external-secrets.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if (eq .Values.enabled "plumbing") }} -{{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }} -apiVersion: "external-secrets.io/v1beta1" -kind: ExternalSecret -metadata: - name: {{ .Values.clusterGroup.targetCluster | kebabcase }}-secret - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "100" -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ $.Values.secretStore.name }} - kind: {{ $.Values.secretStore.kind }} - target: - name: {{ .Values.clusterGroup.targetCluster | kebabcase }}-secret - template: - type: Opaque - metadata: - labels: - argocd.argoproj.io/secret-type: cluster - data: - name: {{ .Values.clusterGroup.targetCluster }} - server: https://api.{{ .Values.global.clusterDomain }}:6443 - config: | - { - "bearerToken": {{ "{{ .kubeBearer | toString | quote }}" }}, - "tlsClientConfig": { - "insecure": false, - "caData": {{ "{{ .kubeCA | toString | quote }}" }} - } - } - data: - - secretKey: kubeBearer - remoteRef: - key: {{ $.Values.clusterGroup.hostedSite.secretsPath }} - property: bearerToken - - secretKey: kubeCA - remoteRef: - key: {{ $.Values.clusterGroup.hostedSite.secretsPath }} - property: caCert -{{- end }} diff --git a/common/clustergroup/templates/plumbing/gitops-namespace.yaml b/common/clustergroup/templates/plumbing/gitops-namespace.yaml deleted file mode 100644 index 3cd7608d..00000000 --- a/common/clustergroup/templates/plumbing/gitops-namespace.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if not (eq .Values.enabled "plumbing") }} -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }} - # The name here needs to be consistent with - # - acm/templates/policies/application-policies.yaml - # - clustergroup/templates/applications.yaml - # - any references to secrets and route URLs in documentation - name: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }} -spec: {} -{{- end }} diff --git a/common/clustergroup/templates/plumbing/hosted-sites.yaml b/common/clustergroup/templates/plumbing/hosted-sites.yaml deleted file mode 100644 index f1f57374..00000000 --- a/common/clustergroup/templates/plumbing/hosted-sites.yaml +++ /dev/null @@ -1,172 +0,0 @@ -{{- if (eq .Values.enabled "all") }} -{{- range .Values.clusterGroup.managedClusterGroups }} -{{- $group := . }} -{{- if .hostedArgoSites }} -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: {{ .name }} - namespace: openshift-gitops -spec: - description: "Cluster Group {{ $group.name }}" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -{{- end }} -{{- range .hostedArgoSites }} -{{ $secretsPathDefault := print "secret/data/hub/cluster_" .name }} -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: {{ $.Values.global.pattern }}-{{ $group.name }}-{{ .name }} - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - project: {{ $group.name }} - source: - repoURL: {{ coalesce $group.repoURL $.Values.global.repoURL }} - targetRevision: {{ coalesce $group.targetRevision $.Values.global.targetRevision }} - path: {{ default "common/clustergroup" $group.path }} - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-{{ $group.name }}.yaml" - {{- range $valueFile := $group.extraValueFiles }} - - {{ $valueFile | quote }} - {{- end }} - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: {{ $.Values.global.pattern }} - - name: global.hubClusterDomain - value: {{ $.Values.global.hubClusterDomain }} - - name: global.localClusterDomain - value: apps.{{ .domain }} - - name: global.clusterDomain - value: {{ .domain }} - - name: enabled - value: core - - name: clusterGroup.name - value: {{ $group.name }} - - name: clusterGroup.targetCluster - value: {{ .name }} - - name: clusterGroup.hostedSite.secretsPath - value: {{ default $secretsPathDefault .secretsPath }} - {{- range $group.helmOverrides }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - {{- if $group.fileParameters }} - fileParameters: - {{- range $group.fileParameters }} - - name: {{ .name }} - path: {{ .path }} - {{- end }} - {{- end }} - destination: - name: {{ .name }} - namespace: {{ $.Values.global.pattern }}-{{ $group.name }} - syncPolicy: - automated: - selfHeal: true - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: {{ $.Values.global.pattern }}-{{ $group.name }}-{{ .name }}-plumbing - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - project: {{ $group.name }} - source: - repoURL: {{ coalesce $group.repoURL $.Values.global.repoURL }} - targetRevision: {{ coalesce $group.targetRevision $.Values.global.targetRevision }} - path: {{ default "common/clustergroup" $group.path }} - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-{{ $group.name }}.yaml" - {{- range $valueFile := $group.extraValueFiles }} - - {{ $valueFile | quote }} - {{- end }} - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: {{ $.Values.global.pattern }} - - name: global.hubClusterDomain - value: {{ $.Values.global.hubClusterDomain }} - - name: global.localClusterDomain - value: apps.{{ .domain }} - - name: global.clusterDomain - value: {{ .domain }} - - name: enabled - value: plumbing - - name: clusterGroup.name - value: {{ $group.name }} - - name: clusterGroup.targetCluster - value: {{ .name }} - - name: clusterGroup.hostedSite.secretsPath - value: {{ default $secretsPathDefault .secretsPath }} - {{- range $group.helmOverrides }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - {{- if $group.fileParameters }} - fileParameters: - {{- range $group.fileParameters }} - - name: {{ .name }} - path: {{ .path }} - {{- end }} - {{- end }} - destination: - name: in-cluster - namespace: openshift-gitops - syncPolicy: - automated: - selfHeal: true - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/common/clustergroup/templates/plumbing/projects.yaml b/common/clustergroup/templates/plumbing/projects.yaml deleted file mode 100644 index 1050f2ee..00000000 --- a/common/clustergroup/templates/plumbing/projects.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if not (eq .Values.enabled "core") }} -{{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }} -{{- /* - We first check if projects are defined as a map. If it is we call - our helper function in _helpers.tpl to process the projects - described in the values file. This is to support issue - https://github.com/validatedpatterns/common/issues/459 created by our customer. -*/ -}} -{{- if kindIs "map" .Values.clusterGroup.projects }} -{{- template "clustergroup.template.plumbing.projects.map" (list .Values.clusterGroup.projects $namespace $.Values.enabled) }} -{{- else }} -{{- range .Values.clusterGroup.projects }} -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: {{ . }} -{{- if (eq $.Values.enabled "plumbing") }} - namespace: openshift-gitops -{{- else }} - namespace: {{ $namespace }} -{{- end }} -spec: - description: "Pattern {{ . }}" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -{{- end }} {{- /* end range */ -}} -{{- end }} {{- /* end if map */ -}} -{{- end }} {{- /* end if not "core" */ -}} diff --git a/common/clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml b/common/clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml deleted file mode 100644 index 8b2a9cde..00000000 --- a/common/clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +++ /dev/null @@ -1,7 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: trusted-ca-bundle - namespace: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }} - labels: - config.openshift.io/inject-trusted-cabundle: 'true' diff --git a/common/clustergroup/values.schema.json b/common/clustergroup/values.schema.json deleted file mode 100644 index 2fbe3421..00000000 --- a/common/clustergroup/values.schema.json +++ /dev/null @@ -1,1089 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "$ref": "#/definitions/ValidatedPatterns", - "definitions": { - "ValidatedPatterns": { - "type": "object", - "additionalProperties": true, - "properties": { - "enabled": { - "type": "string", - "enum": [ - "all", - "core", - "plumbing" - ] - }, - "secretStore": { - "$ref": "#/definitions/SecretStore" - }, - "main": { - "$ref": "#/definitions/Main" - }, - "global": { - "$ref": "#/definitions/Global" - }, - "clusterGroup": { - "$ref": "#/definitions/ClusterGroup" - } - }, - "required": [ - "clusterGroup" - ], - "title": "ValidatedPatterns" - }, - "SecretStore": { - "type": "object", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "description": "Name of the external secret backend", - "default": "vault-backend" - }, - "kind": { - "type": "string", - "description": "Type of the external secret backend", - "default": "ClusterSecretStore" - } - }, - "required": [ - "name", - "kind" - ], - "title": "SecretsStore" - }, - "Main": { - "type": "object", - "additionalProperties": false, - "required": [ - "clusterGroupName" - ], - "title": "Main", - "description": "This section contains the 'main' variables which are used by the install chart only and are passed to helm via the Makefile", - "properties": { - "clusterGroupName": { - "type": "string" - }, - "extraParameters": { - "type": "array", - "description": "Pass in extra Helm parameters to all ArgoCD Applications and the framework." - }, - "experimentalCapabilities": { - "type": "string", - "description": "String to enable certain experimental capabilities in the operator and the framework." - }, - "git": { - "type": "object", - "additionalProperties": false, - "required": [ - "repoURL", - "revision" - ], - "properties": { - "repoUpstreamURL": { - "type": "string", - "description": "Upstream URL of the pattern's git repository. When set an in-cluster gitea instance gets spawned and repoURL is ignored" - }, - "repoURL": { - "type": "string", - "description": "URL of the pattern's git repository" - }, - "revision": { - "type": "string", - "description": "revision (branch/commit/ref) to use on the pattern's git repository" - } - } - }, - "gitops": { - "type": "object", - "additionalProperties": true, - "properties": { - "channel": { - "type": "string", - "description": "The channel from which to install the gitops operator" - }, - "operatorSource": { - "type": "string", - "description": "The catalog source from which to install the gitops operator" - } - } - }, - "patternsOperator": { - "type": "object", - "additionalProperties": true, - "properties": { - "channel": { - "type": "string", - "description": "The channel from which to install the patterns operator" - }, - "source": { - "type": "string", - "description": "The catalog source from which to install the patterns operator" - } - } - }, - "multiSourceConfig": { - "type": "object", - "additionalProperties": true, - "properties": { - "enabled": { - "type": "boolean", - "description": "Enable the experimental support for multi source for the clustergroup chart" - }, - "helmRepoUrl": { - "type": "string", - "description": "The helm repo URL for the clustergroup chart" - } - } - }, - "analyticsUUID": { - "type": "string", - "description": "UUID used to generate analytics" - } - } - }, - "Global": { - "type": "object", - "additionalProperties": true, - "properties": { - "pattern": { - "type": "string", - "readOnly": true, - "description": "The name of the pattern being installed. The default is the name of the repository's folder and is automatically set by the Makefile" - }, - "clusterDomain": { - "type": "string", - "readOnly": true, - "description": "The FQDN domain of the cluster without the 'apps.' component. For example: mcg-hub.blueprints.rhecoeng.com. Gets set automatically by the framework" - }, - "localClusterDomain": { - "type": "string", - "readOnly": true, - "description": "The FQDN domain of the cluster including the 'apps.' component. For example: apps.mcg-hub.blueprints.rhecoeng.com. Gets set automatically by the framework" - }, - "targetRevision": { - "type": "string", - "readOnly": true, - "description": "revision (branch/commit/ref) to use on the pattern's git repository, it is set automatically by the pattern's operator" - }, - "repoURL": { - "type": "string", - "readOnly": true, - "description": "URL of the pattern's git repository, it is set automatically by the pattern's operator" - }, - "hubClusterDomain": { - "type": "string", - "readOnly": true, - "description": "The FQDN domain of the hub cluster including the 'apps.' component. For example: apps.mcg-hub.blueprints.rhecoeng.com. Gets set automatically by the framework. Only makes sense when using ACM" - }, - "namespace": { - "type": "string", - "readOnly": true, - "description": "The namespace in which the ArgoCD instance is running. Automatically set to either 'openshift-operators' or '$ARGOCD_APP_NAMESPACE'" - }, - "git": { - "$ref": "#/definitions/GlobalGit" - }, - "options": { - "$ref": "#/definitions/Options" - }, - "secretStore": { - "$ref": "#/definitions/GlobalSecretStore" - } - }, - "required": [ - "options" - ], - "title": "Global" - }, - "GlobalSecretStore": { - "type": "object", - "additionalProperties": false, - "properties": { - "backend": { - "type": "string", - "description": "Name of the secrets backend", - "default": "vault" - } - }, - "title": "GlobalSecretsStore" - }, - "GlobalGit": { - "type": "object", - "additionalProperties": true, - "description": "The git configuration used to support Tekton pipeline tasks.", - "properties": { - "hostname": { - "type": "string", - "description": "The hostname for the Git provider being used. e.g. github.com or gitlab.com" - }, - "account": { - "type": "string", - "description": "The account for the Git provider. Accounts allow you to organize and control access to that code. There are three types of accounts on GitHub. Personal accounts Organization accounts Enterprise accounts e.g. hybrid-cloud-patterns or claudiol" - }, - "email": { - "type": "string", - "description": "The contact email for the Git account. e.g. account@gmail.com" - }, - "dev_revision": { - "type": "string", - "deprecated": true, - "description": "This is used by the pipelines as the branch for the development repository. e.g. v2.0. This is marked as deprecated" - } - }, - "required": [ - "hostname", - "account", - "email" - ], - "title": "GlobalGit" - }, - "Options": { - "type": "object", - "additionalProperties": false, - "properties": { - "useCSV": { - "type": "boolean", - "deprecated": true - }, - "syncPolicy": { - "type": "string", - "description": "This is the sync policy for the ArgoCD applications. When set to Automatic ArgoCD will automatically sync an application when it detects differences between the desired manifests in Git." - }, - "installPlanApproval": { - "type": "string", - "deprecated": true, - "description": "This is used to approval strategy for the subscriptions of OpenShift Operators being installed. You can choose Automatic or Manual updates. NOTE: This setting is now available in the subcriptions description in the values file." - }, - "autoApproveManualInstallPlans": { - "type": "boolean", - "description": "This is used to approve automatically those subscriptions of OpenShift Operators that are in Manual with a startingCSV version. You can choose True or False. Defaults: False." - }, - "applicationRetryLimit": { - "type": "integer", - "description": "Number of failed sync attempt retries; unlimited number of attempts if less than 0" - } - }, - "required": [ - "installPlanApproval", - "syncPolicy", - "useCSV" - ], - "title": "Options" - }, - "ClusterGroup": { - "type": "object", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "description": "The name of the cluster group." - }, - "targetCluster": { - "type": "string" - }, - "isHubCluster": { - "type": "boolean", - "description": "If set to true the values is used to identify whether this is the hub cluster or an edge/spoke cluster configuration." - }, - "sharedValueFiles": { - "type": "array", - "description": "Templated value file paths." - }, - "scheduler": { - "type": "object", - "description": "If set, it will become the spec of the scheduler/cluster in the managed cluster." - }, - "namespaces": { - "anyOf": [ - { - "type": "array" - }, - { - "type": "object" - } - ], - "description": "This is the array of namespaces that the VP framework will create. In addition, operator groups will also be created for each namespace.", - "items": { - "$ref": "#/definitions/Namespaces" - } - }, - "nodes": { - "anyOf": [ - { - "type": "array" - }, - { - "type": "object" - } - ], - "description": "Description of those nodes which ArgoCD will control the labels and/or annotations.", - "items": { - "$ref": "#/definitions/Nodes" - } - }, - "indexImages": { - "anyOf": [ - { - "type": "array" - }, - { - "type": "object" - } - ], - "description": "List of index images for overriding default catalog sources.", - "items": { - "$ref": "#/definitions/IndexImages" - } - }, - "operatorgroupExcludes": { - "type": "array", - "description": "List of namespaces to exclude the creation of operator groups.", - "items": { - "type": "string" - } - }, - "operatorgroupExcludeTargetNS": { - "type": "array", - "description": "Specify the list of namespaces where the target namespace field in the corresponding operatorgroup object should be excluded.", - "items": { - "type": "string" - } - }, - "hostedSite": { - "type": "object", - "items": { - "$ref": "#/definitions/HostedSite" - } - }, - "subscriptions": { - "anyOf": [ - { - "type": "null" - }, - { - "type": "array" - }, - { - "type": "object" - } - ], - "description": "Description of the subscriptions that the VP Framework will install in the cluster. Two ways of defining subscriptions: Using a list or using a dictionary.", - "items": { - "$ref": "#/definitions/Subscription" - } - }, - "projects": { - "anyOf": [ - { - "type": "array" - }, - { - "type": "object" - } - ], - "description": "The list of projects that will be created in the ArgoCD instances.", - "items": { - "type": "string" - } - }, - "applications": { - "anyOf": [ - { - "type": "array" - }, - { - "type": "object" - } - ], - "description": "Description of the applications that will be created in the ArgoCD instances. Two ways of defining applications: Using a list or using a dictionary.", - "items": { - "$ref": "#/definitions/Applications" - } - }, - "argoCD": { - "$ref": "#/definitions/ArgoCD" - }, - "imperative": { - "$ref": "#/definitions/Imperative" - }, - "managedClusterGroups": { - "anyOf": [ - { - "type": "array" - }, - { - "type": "object" - } - ], - "description": "Description of the managed clusters that ACM will be able to manage. Two ways of defining managed clusters: Using a list or using a dictionary.", - "items": { - "$ref": "#/definitions/ManagedClusterGroup" - } - } - }, - "required": [ - "applications", - "isHubCluster", - "name", - "namespaces", - "projects" - ], - "title": "ClusterGroup" - }, - "Namespaces": { - "anyOf": [ - { - "type": "object" - }, - { - "type": "string" - } - ], - "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.", - "additionalProperties": true, - "properties": { - "name": { - "type": "string", - "description": "Name of the namespace." - }, - "labels": { - "type": "array", - "items": { - "$ref": "#/definitions/NameValue" - } - }, - "annotations": { - "type": "array", - "items": { - "$ref": "#/definitions/NameValue" - } - } - } - }, - "Nodes": { - "type": "object", - "description": "Description of those nodes which ArgoCD will control the labels and/or annotations.", - "additionalProperties": true, - "properties": { - "name": { - "type": "string", - "description": "Name of the node." - }, - "labels": { - "type": "array", - "items": { - "$ref": "#/definitions/NameValue" - } - }, - "annotations": { - "type": "array", - "items": { - "$ref": "#/definitions/NameValue" - } - } - } - }, - "NameValue": { - "type": "object", - "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.", - "additionalProperties": true, - "properties": { - "name": { - "type": "string", - "description": "Name of the namespace." - }, - "value": { - "type": "string", - "description": "Name of the namespace." - } - } - }, - "Applications": { - "type": "object", - "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.", - "additionalProperties": true, - "properties": { - "name": { - "type": "string", - "description": "Name of the application in ArgoCD." - }, - "repoURL": { - "type": "string", - "description": "RepoURL is the URL to the repository (Git or Helm) that contains the application manifests." - }, - "targetRevision": { - "type": "string", - "description": "TargetRevision defines the revision of the source to sync the application to. In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. In case of Helm, this is a semver tag for the Chart's version." - }, - "chart": { - "type": "string", - "description": "Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo." - }, - "chartVersion": { - "type": "string", - "description": "The version of the helm chart to be used. Can be a regex like '0.0.*'." - }, - "kustomize": { - "type": "boolean", - "description": "If set to true it will tell ArgoCD to use kustomize to deploy the application." - }, - "plugin": { - "type": "object", - "description": "Plugin holds config management plugin specific options" - }, - "extraValueFiles": { - "type": "array", - "description": "List of extra values files that will be passed to ArgoCD." - }, - "extraHubClusterDomainFields": { - "type": "array", - "description": "List of extra fields that will be passed to ArgoCD." - }, - "extraLocalClusterDomainFields": { - "type": "array", - "description": "List of extra fields that will be passed to ArgoCD." - }, - "extraRepoURLFields": { - "type": "array", - "description": "List of extra fields that will be passed to ArgoCD." - }, - "extraTargetRevisionFields": { - "type": "array", - "description": "List of extra fields that will be passed to ArgoCD." - }, - "extraNamespaceFields": { - "type": "array", - "description": "List of extra fields that will be passed to ArgoCD." - }, - "extraPatternNameFields": { - "type": "array", - "description": "List of extra fields that will be passed to ArgoCD." - }, - "overrides": { - "type": "object" - }, - "fileParameters": { - "type": "array", - "description": "FileParameters are file parameters to the helm template" - }, - "ignoreDifferences": { - "type": "array", - "description": "IgnoreDifferences is a list of resources and their fields which should be ignored during comparison" - }, - "syncPolicy": { - "type": "object", - "description": "SyncPolicy controls when and how a sync will be performed" - }, - "namespace": { - "type": "string", - "description": "Namespace specifies the target namespace for the application's resources. The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace" - }, - "project": { - "type": "string", - "description": "Project is a reference to the project this application belongs to. The empty string means that application belongs to the 'default' project." - }, - "path": { - "type": "string", - "description": "Path is a directory path within the Git repository, and is only valid for applications sourced from Git." - } - }, - "required": [ - "name", - "path", - "project" - ], - "title": "Applications" - }, - "ArgoCD": { - "type": "object", - "description": "Details for configuring ArgoCD instances in particular", - "additionalProperties": false, - "properties": { - "configManagementPlugins": { - "type": "array", - "items": { - "$ref": "#/definitions/ArgoCDConfigManagementPlugin" - }, - "description": "The new configManagementPlugins array, will also generate configMaps to inject into the plugins" - }, - "initContainers": { - "type": "array", - "description": "A list of initContainers to add to the repo-server if needed" - }, - "resourceTrackingMethod": { - "type": "string", - "description": "ResourceTrackingMethod defines how Argo CD should track resources that it manages", - "enum": [ - "annotation", - "label", - "annotation+label" - ] - }, - "resourceExclusions": { - "type": "string", - "description": "ResourceExclusions is used to completely ignore entire classes of resource group/kinds." - }, - "resourceHealthChecks": { - "type": "array", - "items": { - "$ref": "#/definitions/ArgoCDResourceHealthChecks" - }, - "description": "ResourceHealthChecks customizes resource health check behavior." - } - } - }, - "ArgoCDConfigManagementPlugin": { - "type": "object", - "additionalProperties": true, - "properties": { - "name": { - "type": "string", - "description": "Name for the config management plugin" - }, - "image": { - "type": "string", - "description": "Image for a sidecar container" - }, - "imagePullPolicy": { - "type": "string", - "description": "Image pull policy for the sidecar. Defaults to 'Always'" - }, - "pluginConfig": { - "type": "string", - "description": "Configuration file to project into sidecar container. This will create a configMap if specified" - }, - "pluginArgs": { - "type": "array", - "description": "Additional args to pass to the cmpserver command, usually loglevel" - } - }, - "required": [ - "name", - "image" - ] - }, - "ArgoCDResourceHealthChecks": { - "type": "object", - "additionalProperties": false, - "properties": { - "check": { - "type": "string" - }, - "group": { - "type": "string" - }, - "kind": { - "type": "string" - } - } - }, - "IndexImages": { - "type": "object", - "description": "Details for overriding default catalog sources", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "description": "Name for the custom catalog source." - }, - "image": { - "type": "string", - "description": "Location of the index image." - } - } - }, - "HostedSite": { - "type": "object", - "additionalProperties": false, - "properties": { - "secretsPath": { - "type": "string", - "description": "It represents the path in the vault that is supposed to contain two fields: 'bearerToken' representing the token to use to authenticate to the remote cluster and 'caCert' which is the base64-encoded Certificate Authority cert of the remote cluster." - } - }, - "required": [ - "secretsPath" - ], - "title": "HostedSite" - }, - "Imperative": { - "type": "object", - "additionalProperties": false, - "properties": { - "jobs": { - "type": "array", - "items": { - "$ref": "#/definitions/Job" - } - }, - "image": { - "type": "string", - "default": "registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest" - }, - "namespace": { - "type": "string", - "default": "imperative", - "enum": [ - "imperative" - ] - }, - "serviceAccountCreate": { - "type": "boolean" - }, - "valuesConfigMap": { - "type": "string" - }, - "cronJobName": { - "type": "string" - }, - "jobName": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "default": "Always", - "enum": [ - "Always", - "IfNotPresent", - "Never" - ] - }, - "activeDeadlineSeconds": { - "type": "integer", - "default": 3600 - }, - "schedule": { - "type": "string", - "default": "*/10 * * * *" - }, - "insecureUnsealVaultInsideClusterSchedule": { - "type": "string", - "default": "*/5 * * * *" - }, - "verbosity": { - "type": "string", - "default": "", - "enum": [ - "", - "-v", - "-vv", - "-vvv", - "-vvvv" - ] - }, - "serviceAccountName": { - "type": "string" - }, - "clusterRoleName": { - "type": "string" - }, - "clusterRoleYaml": { - "type": ["string", "array"] - }, - "roleName": { - "type": "string" - }, - "roleYaml": { - "type": "string" - }, - "adminServiceAccountCreate": { - "type": "boolean" - }, - "adminServiceAccountName": { - "type": "string" - }, - "adminClusterRoleName": { - "type": "string" - } - }, - "required": [ - "jobs" - ], - "title": "Imperative" - }, - "Job": { - "type": "object", - "additionalProperties": false, - "properties": { - "name": { - "type": "string" - }, - "playbook": { - "type": "string" - }, - "timeout": { - "type": ["integer", "string"] - }, - "image": { - "type": "string", - "default": "registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest" - }, - "tags": { - "type": "string" - }, - "extravars": { - "type": "array" - }, - "verbosity": { - "type": "string" - } - }, - "required": [ - "name", - "playbook" - ], - "title": "Job" - }, - "ManagedClusterGroup": { - "type": "object", - "additionalProperties": false, - "properties": { - "name": { - "type": "string" - }, - "targetRevision": { - "type": "string" - }, - "acmlabels": { - "type": "array", - "items": { - "$ref": "#/definitions/ACMLabels" - } - }, - "hostedArgoSites": { - "type": "array", - "items": { - "$ref": "#/definitions/HostedArgoSites" - } - }, - "clusterPools": { - "type": "object", - "items": { - "$ref": "#/definitions/ClusterPools" - } - }, - "clusterDeployments": { - "type": "object", - "items": { - "$ref": "#/definitions/ClusterDeployments" - } - }, - "clusterSelector": { - "type": "object", - "additionalProperties": true - }, - "helmOverrides": { - "type": "array", - "items": { - "$ref": "#/definitions/HelmOverride" - } - } - }, - "required": [], - "title": "ManagedClusterGroup" - }, - "ClusterPools": { - "type": "object", - "additionalProperties": false, - "properties": { - "size": { - "type": "integer" - }, - "name": { - "type": "string" - }, - "openshiftVersion": { - "type": "string" - }, - "baseDomain": { - "type": "string" - }, - "platform": { - "type": "object", - "$ref": "#/definitions/ClusterPoolsPlatform" - }, - "clusters": { - "type": "array" - } - }, - "required": [ - "name", - "openshiftVersion", - "baseDomain", - "platform", - "clusters" - ], - "title": "ClusterPools" - }, - "ClusterDeployments": { - "type": "object", - "additionalProperties": false, - "properties": { - "name": { - "type": "string" - }, - "openshiftVersion": { - "type": "string" - }, - "baseDomain": { - "type": "string" - }, - "platform": { - "type": "object", - "$ref": "#/definitions/ClusterPoolsPlatform" - } - }, - "required": [ - "name", - "openshiftVersion", - "baseDomain", - "platform" - ], - "title": "ClusterDeployments" - }, - "ClusterPoolsPlatform": { - "type": "object", - "additionalProperties": false, - "properties": { - "baseDomainResourceGroupName": { - "type": "string" - }, - "region": { - "type": "string" - } - }, - "required": [ - "region" - ], - "title": "ClusterPoolsPlatform" - }, - "HelmOverride": { - "type": "object", - "additionalProperties": false, - "properties": { - "name": { - "type": "string" - }, - "value": { - "anyOf": [ - { - "type": "string" - }, - { - "type": "boolean" - } - ] - } - }, - "required": [ - "name", - "value" - ], - "title": "HelmOverride" - }, - "ACMLabels": { - "type": "object", - "additionalProperties": false, - "properties": { - "name": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "name", - "value" - ], - "title": "ACMLabels" - }, - "Subscription": { - "type": "object", - "additionalProperties": false, - "properties": { - "name": { - "type": "string" - }, - "namespaces": { - "type": "array" - }, - "namespace": { - "type": "string" - }, - "sourceNamespace": { - "type": "string" - }, - "source": { - "type": "string" - }, - "channel": { - "type": "string" - }, - "csv": { - "type": "string" - }, - "installPlanApproval": { - "type": "string", - "enum": [ - "Manual", - "Automatic" - ] - }, - "config": { - "type": "object", - "$ref": "#/definitions/SubscriptionsConfigEnv" - }, - "disabled": { - "type": "boolean" - } - }, - "required": [ - "name" - ], - "title": "Subscription" - }, - "SubscriptionsConfigEnv": { - "type": "array", - "additionalProperties": false, - "properties": { - "name": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "name", - "value" - ], - "title": "SubscriptionsConfigEnv" - }, - "HostedArgoSites": { - "type": "object", - "additionalProperties": false, - "properties": { - "name": { - "type": "string" - }, - "domain": { - "type": "string" - }, - "bearerKeyPath": { - "type": "string" - }, - "caKeyPath": { - "type": "string" - } - }, - "required": [ - "name", - "domain" - ], - "title": "HostedArgoSites" - } - } -} diff --git a/common/clustergroup/values.yaml b/common/clustergroup/values.yaml deleted file mode 100644 index e40d0cdd..00000000 --- a/common/clustergroup/values.yaml +++ /dev/null @@ -1,139 +0,0 @@ -global: - extraValueFiles: [] - pattern: common - secretStore: - backend: "vault" - targetRevision: main - options: - useCSV: True - syncPolicy: Automatic - installPlanApproval: Automatic - applicationRetryLimit: 20 - -enabled: "all" - -# Note that sometimes changing helm values might require a hard refresh (https://github.com/helm/helm/issues/3486) -clusterGroup: - name: example - isHubCluster: true - targetCluster: in-cluster - sharedValueFiles: [] - -# scheduler: -# mastersSchedulable: true -# defaultNodeSelector: type=user-node,region=east -# profile: HighNodeUtilization - - argoCD: - initContainers: [] - configManagementPlugins: [] - # resource tracking can be set to annotation, label, or annotation+label - resourceTrackingMethod: label - resourceHealthChecks: - - kind: PersistentVolumeClaim - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - - imperative: - jobs: [] - # This image contains ansible + kubernetes.core by default and is used to run the jobs - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - namespace: "imperative" - # configmap name in the namespace that will contain all helm values - valuesConfigMap: "helm-values-configmap" - cronJobName: "imperative-cronjob" - jobName: "imperative-job" - imagePullPolicy: Always - # This is the maximum timeout of all the jobs (1h) - activeDeadlineSeconds: 3600 - # By default we run this every 10minutes - schedule: "*/10 * * * *" - # Schedule used to trigger the vault unsealing (if explicitely enabled) - # Set to run every 5 minutes in order for load-secrets to succeed within - # a reasonable amount of time (it waits up to 15 mins) - insecureUnsealVaultInsideClusterSchedule: "*/5 * * * *" - # Increase ansible verbosity with '-v' or '-vv..' - verbosity: "" - serviceAccountCreate: true - # service account to be used to run the cron pods - serviceAccountName: imperative-sa - clusterRoleName: imperative-cluster-role - clusterRoleYaml: "" - roleName: imperative-role - roleYaml: "" - adminServiceAccountCreate: true - adminServiceAccountName: imperative-admin-sa - adminClusterRoleName: imperative-admin-cluster-role - - managedClusterGroups: {} - namespaces: [] -# - name: factory -# # repoURL: https://github.com/dagger-refuse-cool/manuela-factory.git -# # Location of values-global.yaml, values-{name}.yaml, values-{app}.yaml -# targetRevision: main -# path: applications/factory -# helmOverrides: -# - name: clusterGroup.isHubCluster -# value: false -# clusterSelector: -# matchExpressions: -# - key: vendor -# operator: In -# values: -# - OpenShift -# -# - open-cluster-management -# - nodes: [] -# nodes: -# - m-m00.mycluster.domain.tld: -# labels: -# cluster.ocs.openshift.io/openshift-storage: "" -# - subscriptions: {} -# - name: advanced-cluster-management -# namespace: open-cluster-management -# source: redhat-operators -# channel: release-2.3 -# csv: v2.3.2 -# - projects: [] -# - datacenter -# - applications: {} -# - name: acm -# namespace: default -# project: datacenter -# path: applications/acm - -secretStore: - name: vault-backend - kind: ClusterSecretStore - -# Depends on the value of 'vault_hub' ansible variable used -# during the installation -#secretsBase: -# key: secret/data/hub - diff --git a/common/common b/common/common deleted file mode 120000 index 945c9b46..00000000 --- a/common/common +++ /dev/null @@ -1 +0,0 @@ -. \ No newline at end of file diff --git a/common/examples/blank/Chart.yaml b/common/examples/blank/Chart.yaml deleted file mode 100644 index c552610d..00000000 --- a/common/examples/blank/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -description: An empty Helm chart -keywords: -- pattern -name: blank -version: 0.0.1 diff --git a/common/examples/blank/templates/manifest.yaml b/common/examples/blank/templates/manifest.yaml deleted file mode 100644 index 3f160b02..00000000 --- a/common/examples/blank/templates/manifest.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: example diff --git a/common/examples/blank/values.yaml b/common/examples/blank/values.yaml deleted file mode 100644 index 35e4a6f4..00000000 --- a/common/examples/blank/values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -tree: - of: "values" diff --git a/common/examples/industrial-edge-factory.yaml b/common/examples/industrial-edge-factory.yaml deleted file mode 100644 index c60d0960..00000000 --- a/common/examples/industrial-edge-factory.yaml +++ /dev/null @@ -1,112 +0,0 @@ -clusterGroup: - name: factory - isHubCluster: false - - namespaces: - - manuela-stormshift-line-dashboard - - manuela-stormshift-machine-sensor - - manuela-stormshift-messaging - - manuela-factory-ml-workspace - - operatorgroupExcludes: - - manuela-factory-ml-workspace - - subscriptions: - - name: opendatahub-operator - channel: stable - source: community-operators - - - name: seldon-operator - namespace: manuela-stormshift-messaging - channel: stable - source: community-operators - - - name: amq-streams - namespace: manuela-stormshift-messaging - channel: stable - - - name: amq-broker-rhel8 - namespace: manuela-stormshift-messaging - channel: 7.x - - - name: red-hat-camel-k - namespace: manuela-stormshift-messaging - channel: stable - - projects: - - factory - - argoCD: - configManagementPlugins: - - name: helm-with-kustomize - image: quay.io/hybridcloudpatterns/utility-container:latest - pluginArgs: - - '--loglevel=debug' - pluginConfig: | - apiVersion: argoproj.io/v1alpha1 - kind: ConfigManagementPlugin - metadata: - name: helm-with-kustomize - spec: - preserveFileMode: true - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-{{ .Values.clusterGroup.name }}.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern={{ .Values.global.pattern }} - --set global.clusterDomain={{ .Values.global.clusterDomain }} - --set global.hubClusterDomain={{ .Values.global.hubClusterDomain }} - --set global.localClusterDomain={{ coalesce .Values.global.localClusterDomain .Values.global.hubClusterDomain }} - --set clusterGroup.name={{ .Values.clusterGroup.name }} - --post-renderer ./kustomize"] - - applications: - - name: stormshift - project: factory - path: charts/factory/manuela-stormshift - plugin: - name: helm-with-kustomize - - - name: odh - namespace: manuela-factory-ml-workspace - project: factory - path: charts/datacenter/opendatahub - -# -# To have apps in multiple flavors, use namespaces and use helm overrides as appropriate -# -# - name: pipelines -# namespace: production -# project: datacenter -# path: applications/pipeline -# repoURL: https://github.com/you/applications.git -# targetRevision: stable -# overrides: -# - name: myparam -# value: myparam -# -# - name: pipelines -# namespace: staging -# project: datacenter -# path: applications/pipeline -# repoURL: https://github.com/you/applications.git -# targetRevision: main -# -# Additional applications -# Be sure to include additional resources your apps will require -# +X machines -# +Y RAM -# +Z CPU -# - name: vendor-app -# namespace: default -# project: vendor -# path: path/to/myapp -# repoURL: https://github.com/vendor/applications.git -# targetRevision: main diff --git a/common/examples/industrial-edge-hub.yaml b/common/examples/industrial-edge-hub.yaml deleted file mode 100644 index e48c4013..00000000 --- a/common/examples/industrial-edge-hub.yaml +++ /dev/null @@ -1,241 +0,0 @@ -clusterGroup: - name: datacenter - isHubCluster: true - - namespaces: - - golang-external-secrets - - external-secrets - - open-cluster-management - - manuela-ml-workspace - - manuela-tst-all - - manuela-ci - - manuela-data-lake - - staging - - vault - - operatorgroupExcludes: - - manuela-ml-workspace - - subscriptions: - acm: - name: advanced-cluster-management - namespace: open-cluster-management - channel: release-2.6 - - amqbroker-prod: - name: amq-broker-rhel8 - namespace: manuela-tst-all - channel: 7.x - - amqstreams-prod-dev: - name: amq-streams - namespaces: - - manuela-data-lake - - manuela-tst-all - channel: stable - - camelk-prod-dev: - name: red-hat-camel-k - namespaces: - - manuela-data-lake - - manuela-tst-all - channel: stable - - seldon-prod-dev: - name: seldon-operator - namespaces: - - manuela-ml-workspace - - manuela-tst-all - channel: stable - source: community-operators - - pipelines: - name: openshift-pipelines-operator-rh - channel: latest - source: redhat-operators - - odh: - name: opendatahub-operator - channel: stable - source: community-operators - - projects: - - datacenter - - production-datalake - - golang-external-secrets - - vault - - argoCD: - configManagementPlugins: - - name: helm-with-kustomize - image: quay.io/hybridcloudpatterns/utility-container:latest - pluginArgs: - - '--loglevel=debug' - pluginConfig: | - apiVersion: argoproj.io/v1alpha1 - kind: ConfigManagementPlugin - metadata: - name: helm-with-kustomize - spec: - preserveFileMode: true - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-{{ .Values.clusterGroup.name }}.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern={{ .Values.global.pattern }} - --set global.clusterDomain={{ .Values.global.clusterDomain }} - --set global.hubClusterDomain={{ .Values.global.hubClusterDomain }} - --set global.localClusterDomain={{ coalesce .Values.global.localClusterDomain .Values.global.hubClusterDomain }} - --set clusterGroup.name={{ .Values.clusterGroup.name }} - --post-renderer ./kustomize"] - - applications: - acm: - name: acm - namespace: open-cluster-management - project: datacenter - path: common/acm - ignoreDifferences: - - group: internal.open-cluster-management.io - kind: ManagedClusterInfo - jsonPointers: - - /spec/loggingCA - - odh: - name: odh - namespace: manuela-ml-workspace - project: datacenter - path: charts/datacenter/opendatahub - - pipelines: - name: pipelines - namespace: manuela-ci - project: datacenter - path: charts/datacenter/pipelines - - production-data-lake: - name: production-data-lake - namespace: manuela-data-lake - project: production-datalake - path: charts/datacenter/manuela-data-lake - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status - - group: image.openshift.io - kind: ImageStream - jsonPointers: - - /spec/tags - - group: apps.openshift.io - kind: DeploymentConfig - jsonPointers: - - /spec/template/spec/containers/0/image - - test: - name: manuela-test - namespace: manuela-tst-all - project: datacenter - path: charts/datacenter/manuela-tst - plugin: - name: helm-with-kustomize - - vault: - name: vault - namespace: vault - project: datacenter - chart: vault - repoURL: https://helm.releases.hashicorp.com - targetRevision: v0.20.1 - overrides: - - name: global.openshift - value: "true" - - name: injector.enabled - value: "false" - - name: ui.enabled - value: "true" - - name: ui.serviceType - value: LoadBalancer - - name: server.route.enabled - value: "true" - - name: server.route.host - value: null - - name: server.route.tls.termination - value: edge - - name: server.image.repository - value: "registry.connect.redhat.com/hashicorp/vault" - - name: server.image.tag - value: "1.10.3-ubi" - - secrets-operator: - name: golang-external-secrets - namespace: golang-external-secrets - project: golang-external-secrets - path: common/golang-external-secrets - - secrets: - name: external-secrets - namespace: external-secrets - project: golang-external-secrets - path: charts/datacenter/external-secrets - -# To have apps in multiple flavors, use namespaces and use helm overrides as appropriate -# -# - name: pipelines -# namespace: production -# project: datacenter -# path: applications/pipeline -# repoURL: https://github.com/you/applications.git -# targetRevision: stable -# overrides: -# - name: myparam -# value: myparam -# -# - name: pipelines -# namespace: staging -# project: datacenter -# path: applications/pipeline -# repoURL: https://github.com/you/applications.git -# targetRevision: main -# -# Additional applications -# Be sure to include additional resources your apps will require -# +X machines -# +Y RAM -# +Z CPU -# - name: vendor-app -# namespace: default -# project: vendor -# path: path/to/myapp -# repoURL: https://github.com/vendor/applications.git -# targetRevision: main - - managedClusterGroups: - factory: - name: factory - # repoURL: https://github.com/dagger-refuse-cool/manuela-factory.git - # targetRevision: main - helmOverrides: - # Values must be strings! - - name: clusterGroup.isHubCluster - value: "false" - clusterSelector: - matchLabels: - clusterGroup: factory - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - diff --git a/common/examples/kustomize-renderer/Chart.yaml b/common/examples/kustomize-renderer/Chart.yaml deleted file mode 100644 index 88a786c9..00000000 --- a/common/examples/kustomize-renderer/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -description: A Helm chart to demonstrate how to use with kustomize -keywords: -- pattern -name: example -version: 0.0.1 diff --git a/common/examples/kustomize-renderer/environment.yaml b/common/examples/kustomize-renderer/environment.yaml deleted file mode 100644 index de4c48a9..00000000 --- a/common/examples/kustomize-renderer/environment.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: environment -data: - IMAGE_PROVIDER: {{ .Values.global.imageregistry.hostname }} - IMAGE_ACCOUNT: {{ .Values.global.imageregistry.account }} - GIT_EMAIL: {{ .Values.global.git.email }} - GIT_DEV_REPO_URL: https://{{ .Values.global.git.hostname }}/{{ .Values.global.git.account }}/manuela-dev.git - GIT_DEV_REPO_REVISION: {{ .Values.global.git.dev_revision }} - GIT_OPS_REPO_TEST_URL: {{ .Values.global.repoURL }} - GIT_OPS_REPO_TEST_REVISION: {{ .Values.global.targetRevision }} - GIT_OPS_REPO_PROD_URL: {{ .Values.global.repoURL }} - GIT_OPS_REPO_PROD_REVISION: {{ .Values.global.targetRevision }} - IOT_CONSUMER_IMAGE: iot-consumer - IOT_CONSUMER_YAML_PATH: images.(name==messaging).newTag - IOT_CONSUMER_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml - IOT_CONSUMER_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/messaging/kustomization.yaml - IOT_CONSUMER_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/messaging/messaging-is.yaml - IOT_FRONTEND_IMAGE: iot-frontend - IOT_FRONTEND_YAML_PATH: images.(name==line-dashboard).newTag - IOT_FRONTEND_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml - IOT_FRONTEND_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/line-dashboard/kustomization.yaml - IOT_FRONTEND_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/line-dashboard/line-dashboard-is.yaml - IOT_SWSENSOR_IMAGE: iot-software-sensor - IOT_SWSENSOR_YAML_PATH: images.(name==machine-sensor).newTag - IOT_SWSENSOR_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml - IOT_SWSENSOR_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/machine-sensor/kustomization.yaml - IOT_SWSENSOR_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/machine-sensor/machine-sensor-is.yaml - IOT_ANOMALY_IMAGE: iot-anomaly-detection - IOT_ANOMALY_YAML_PATH: images.(name==anomaly-detection).newTag - IOT_ANOMALY_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml - IOT_ANOMALY_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/anomaly-detection/kustomization.yaml - IOT_ANOMALY_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/anomaly-detection/anomaly-detection-is.yaml diff --git a/common/examples/kustomize-renderer/kustomization.yaml b/common/examples/kustomize-renderer/kustomization.yaml deleted file mode 100644 index 8d8bcd10..00000000 --- a/common/examples/kustomize-renderer/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -resources: - - environment.yaml - -patches: -- helm.patch.yaml diff --git a/common/examples/kustomize-renderer/kustomize b/common/examples/kustomize-renderer/kustomize deleted file mode 100755 index 3266d453..00000000 --- a/common/examples/kustomize-renderer/kustomize +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -x - -BASE=`dirname $0` -if [ $BASE = $PWD ]; then - BASE=./ -fi - -cat <&0 > "$BASE/helm.yaml" - -# Including at least one log to stderr allows us to see the full -x output -echo $HOME $PWD 1>&2 -ls -al 1>&2 - -kustomize build "$BASE" && rm "$BASE/helm.yaml" diff --git a/common/examples/kustomize-renderer/templates/environment.yaml b/common/examples/kustomize-renderer/templates/environment.yaml deleted file mode 100644 index de4c48a9..00000000 --- a/common/examples/kustomize-renderer/templates/environment.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: environment -data: - IMAGE_PROVIDER: {{ .Values.global.imageregistry.hostname }} - IMAGE_ACCOUNT: {{ .Values.global.imageregistry.account }} - GIT_EMAIL: {{ .Values.global.git.email }} - GIT_DEV_REPO_URL: https://{{ .Values.global.git.hostname }}/{{ .Values.global.git.account }}/manuela-dev.git - GIT_DEV_REPO_REVISION: {{ .Values.global.git.dev_revision }} - GIT_OPS_REPO_TEST_URL: {{ .Values.global.repoURL }} - GIT_OPS_REPO_TEST_REVISION: {{ .Values.global.targetRevision }} - GIT_OPS_REPO_PROD_URL: {{ .Values.global.repoURL }} - GIT_OPS_REPO_PROD_REVISION: {{ .Values.global.targetRevision }} - IOT_CONSUMER_IMAGE: iot-consumer - IOT_CONSUMER_YAML_PATH: images.(name==messaging).newTag - IOT_CONSUMER_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml - IOT_CONSUMER_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/messaging/kustomization.yaml - IOT_CONSUMER_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/messaging/messaging-is.yaml - IOT_FRONTEND_IMAGE: iot-frontend - IOT_FRONTEND_YAML_PATH: images.(name==line-dashboard).newTag - IOT_FRONTEND_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml - IOT_FRONTEND_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/line-dashboard/kustomization.yaml - IOT_FRONTEND_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/line-dashboard/line-dashboard-is.yaml - IOT_SWSENSOR_IMAGE: iot-software-sensor - IOT_SWSENSOR_YAML_PATH: images.(name==machine-sensor).newTag - IOT_SWSENSOR_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml - IOT_SWSENSOR_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/machine-sensor/kustomization.yaml - IOT_SWSENSOR_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/machine-sensor/machine-sensor-is.yaml - IOT_ANOMALY_IMAGE: iot-anomaly-detection - IOT_ANOMALY_YAML_PATH: images.(name==anomaly-detection).newTag - IOT_ANOMALY_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml - IOT_ANOMALY_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/anomaly-detection/kustomization.yaml - IOT_ANOMALY_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/anomaly-detection/anomaly-detection-is.yaml diff --git a/common/examples/kustomize-renderer/values.yaml b/common/examples/kustomize-renderer/values.yaml deleted file mode 100644 index cb80a03a..00000000 --- a/common/examples/kustomize-renderer/values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -global: - git: - provider: github.com - account: PLAINTEXT - username: PLAINTEXT - email: SOMEWHERE@EXAMPLE.COM - dev_revision: main - - imageregistry: - provider: quay.io - account: PLAINTEXT - diff --git a/common/examples/medical-diagnosis-hub.yaml b/common/examples/medical-diagnosis-hub.yaml deleted file mode 100644 index 8bde30d0..00000000 --- a/common/examples/medical-diagnosis-hub.yaml +++ /dev/null @@ -1,228 +0,0 @@ -clusterGroup: - name: hub - isHubCluster: true - - namespaces: - - open-cluster-management - - openshift-serverless - - opendatahub - - openshift-storage - - xraylab-1 - - knative-serving - - staging - - vault - - golang-external-secrets - - subscriptions: - amq-streams: - name: amq-streams - namespace: xraylab-1 - channel: stable - - grafana: - name: grafana-operator - namespace: xraylab-1 - channel: v4 - source: community-operators - - odf: - name: odf-operator - namespace: openshift-storage - channel: stable-4.11 - - severless: - name: serverless-operator - channel: stable - - opendatahub: - name: opendatahub-operator - source: community-operators - - projects: - - hub - - medical-diagnosis - - applications: - vault: - name: vault - namespace: vault - project: hub - chart: vault - repoURL: https://helm.releases.hashicorp.com - targetRevision: v0.20.1 - overrides: - - name: global.openshift - value: "true" - - name: injector.enabled - value: "false" - - name: ui.enabled - value: "true" - - name: ui.serviceType - value: LoadBalancer - - name: server.route.enabled - value: "true" - - name: server.route.host - value: null - - name: server.route.tls.termination - value: edge - - name: server.image.repository - value: "registry.connect.redhat.com/hashicorp/vault" - - name: server.image.tag - value: "1.10.3-ubi" - - golang-external-secrets: - name: golang-external-secrets - namespace: golang-external-secrets - project: hub - path: common/golang-external-secrets - - opendatahub: - name: odh - namespace: opendatahub - project: medical-diagnosis - path: charts/all/opendatahub - - openshift-data-foundations: - name: odf - namespace: openshift-storage - project: medical-diagnosis - path: charts/all/openshift-data-foundations - - openshift-serverless: - name: serverless - namespace: xraylab-1 - project: medical-diagnosis - path: charts/all/openshift-serverless - - kafka: - name: kafka - namespace: xraylab-1 - project: medical-diagnosis - path: charts/all/kafka - - kafdrop: - name: kafdrop - namespace: xraylab-1 - project: medical-diagnosis - path: charts/all/kafdrop - - service-account: - name: xraylab-service-account - namespace: xraylab-1 - project: medical-diagnosis - path: charts/all/medical-diagnosis/service-account - - xraylab-init: - name: xraylab-init - namespace: xraylab-1 - project: medical-diagnosis - path: charts/all/medical-diagnosis/xray-init - - xraylab-database: - name: xraylab-database - namespace: xraylab-1 - project: medical-diagnosis - path: charts/all/medical-diagnosis/database - - xraylab-grafana-dashboards: - name: xraylab-grafana-dashboards - namespace: xraylab-1 - project: medical-diagnosis - path: charts/all/medical-diagnosis/grafana - - xraylab-image-server: - name: xraylab-image-server - namespace: xraylab-1 - project: medical-diagnosis - path: charts/all/medical-diagnosis/image-server - ignoreDifferences: - - group: apps.openshift.io - kind: DeploymentConfig - jqPathExpressions: - - '.spec.template.spec.containers[].image' - - xraylab-image-generator: - name: xraylab-image-generator - namespace: xraylab-1 - project: medical-diagnosis - path: charts/all/medical-diagnosis/image-generator - ignoreDifferences: - - group: apps.openshift.io - kind: DeploymentConfig - jqPathExpressions: - - '.spec.template.spec.containers[].image' - - imperative: - # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm - # The default schedule is every 10 minutes: imperative.schedule - # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds - # imagePullPolicy is set to always: imperative.imagePullPolicy - # For additional overrides that apply to the jobs, please refer to - # https://hybrid-cloud-patterns.io/imperative-actions/#additional-job-customizations - jobs: - - name: regional-ca - # ansible playbook to be run - playbook: ansible/playbooks/on-hub-get-regional-ca.yml - # per playbook timeout in seconds - timeout: 234 - # verbosity: "-v" - - managedClusterGroups: - region-one: - name: region-one - helmOverrides: - - name: clusterGroup.isHubCluster - value: false - clusterSelector: - matchLabels: - clusterGroup: region-one - -# To have apps in multiple flavors, use namespaces and use helm overrides as appropriate -# -# pipelines: -# name: pipelines -# namespace: production -# project: datacenter -# path: applications/pipeline -# repoURL: https://github.com/you/applications.git -# targetRevision: stable -# overrides: -# - name: myparam -# value: myparam -# -# pipelines_staging: -# - name: pipelines -# namespace: staging -# project: datacenter -# path: applications/pipeline -# repoURL: https://github.com/you/applications.git -# targetRevision: main -# -# Additional applications -# Be sure to include additional resources your apps will require -# +X machines -# +Y RAM -# +Z CPU -# vendor-app: -# name: vendor-app -# namespace: default -# project: vendor -# path: path/to/myapp -# repoURL: https://github.com/vendor/applications.git -# targetRevision: main - -# managedSites: -# factory: -# name: factory -# # repoURL: https://github.com/dagger-refuse-cool/manuela-factory.git -# targetRevision: main -# path: applications/factory -# helmOverrides: -# - name: site.isHubCluster -# value: false -# clusterSelector: -# matchExpressions: -# - key: vendor -# operator: In -# values: -# - OpenShift diff --git a/common/examples/secrets/values-secret.v1.yaml b/common/examples/secrets/values-secret.v1.yaml deleted file mode 100644 index c04e8262..00000000 --- a/common/examples/secrets/values-secret.v1.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -# By default when a top-level 'version: "1.0"' is missing it is assumed to be '1.0' -# NEVER COMMIT THESE VALUES TO GIT - -secrets: - # These secrets will be pushed in the vault at secret/hub/test The vault will - # have secret/hub/test with secret1 and secret2 as keys with their associated - # values (secrets) - test: - secret1: foo - secret2: bar - - # This ends up as the s3Secret attribute to the path secret/hub/aws - aws: - s3Secret: test-secret - -# This will create the vault key secret/hub/testfoo which will have two -# properties 'b64content' and 'content' which will be the base64-encoded -# content and the normal content respectively -files: - testfoo: ~/ca.crt -# These secrets will be pushed in the vault at secret/region1/test The vault will -# have secret/region1/test with secret1 and secret2 as keys with their associated -# values (secrets) -secrets.region1: - test: - secret1: foo1 - secret2: bar1 -# This will create the vault key secret/region2/testbar which will have two -# properties 'b64content' and 'content' which will be the base64-encoded -# content and the normal content respectively -files.region2: - testbar: ~/ca.crt diff --git a/common/examples/secrets/values-secret.v2.yaml b/common/examples/secrets/values-secret.v2.yaml deleted file mode 100644 index eab81a38..00000000 --- a/common/examples/secrets/values-secret.v2.yaml +++ /dev/null @@ -1,114 +0,0 @@ -# NEVER COMMIT THESE VALUES TO GIT (unless your file only uses generated -# passwords or only points to files) - -# NOTE: If you edit this file, make sure to also reflect the changes in the corresponding -# schema file - -# Needed to specify the new format (missing version means old version: 1.0 by default) -version: "2.0" - -backingStore: vault # 'vault' is the default when omitted - -# These are the vault policies to be created in the vault -# these are used when we let the vault generate the passwords -# by setting the 'onMissingValue' attribute to 'generate' -# See https://developer.hashicorp.com/vault/docs/concepts/password-policies -vaultPolicies: - basicPolicy: | - length=10 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - - advancedPolicy: | - length=20 - rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } - rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } - rule "charset" { charset = "0123456789" min-chars = 1 } - rule "charset" { charset = "!@#$%^&*" min-chars = 1 } - -# This is the mandatory top-level secrets entry -secrets: - - name: aws - fields: - - name: aws_access_key_id - ini_file: ~/.aws/credentials - ini_key: aws_access_key_id - # You can actually omit this as it is the default - # it is here, because I believe the json schema validator has a bug - # (it ignores the default value of onMissingValue in the aallOf if checks) - onMissingValue: error - # ini_section: default - - name: aws_secret_access_key - onMissingValue: error - ini_file: ~/.aws/credentials - ini_key: aws_secret_access_key - # ini_section: default - - - name: config-demo - vaultMount: secret - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: secret - onMissingValue: generate - override: true - vaultPolicy: basicPolicy - - name: secretprompt - value: null - onMissingValue: prompt - prompt: "Please specify the password for application ABC" - - name: secretprompt2 - value: defaultvalue - onMissingValue: prompt - prompt: "Please specify the API key for XYZ" - - name: secretfile - path: /tmp/ca.crt - onMissingValue: prompt - prompt: "Insert path to Certificate Authority" - - name: ca_crt - path: /tmp/ca.crt - onMissingValue: error - - name: ca_crt_b64 - path: /tmp/ca.crt - base64: true # defaults to false - onMissingValue: prompt - - - name: config-demo2 - vaultPrefixes: - - region-one - - snowflake.blueprints.rhecoeng.com - fields: - - name: ca_crt2 - path: null - onMissingValue: prompt - - name: ca_crt - path: /tmp/ca.crt - onMissingValue: error - - # This will be uploaded to the 'hub' vaultPrefix as it is the default when - # omitted - - name: config-demo3 - fields: - - name: ca_crt2 - path: null - onMissingValue: prompt - - name: ca_crt - path: /tmp/ca.crt - onMissingValue: error - # - # The cluster_xxxx pattern is used for creating externalSecrets that - # will be used by ArgoCD to push manifests to other clusters. - # - # oc extract -n openshift-config cm/kube-root-ca.crt --to=/home/user/ --keys=ca.crt --confirm - - name: cluster_foocluster - fields: - - name: bearerToken - value: - onMissingValue: error - - name: caCert - # See command above - path: /home/user/ca.crt - onMissingValue: error - base64: true diff --git a/common/examples/values-example.yaml b/common/examples/values-example.yaml deleted file mode 100644 index 312155b9..00000000 --- a/common/examples/values-example.yaml +++ /dev/null @@ -1,207 +0,0 @@ -global: - options: - useCSV: False - syncPolicy: Automatic - installPlanApproval: Automatic - multiClusterTarget: all - -#enabled: all - -clusterGroup: - name: example - #insecureUnsealVaultInsideCluster: false - isHubCluster: true - sharedValueFiles: - - /values/{{ .Values.global.clusterPlatform }}.yaml - - /values/{{ .Values.global.clusterVersion }}.yaml - - scheduler: - mastersSchedulable: true - - # You can define namespaces using hashes and not as a list like so: - # namespaces: - # open-cluster-management: - # labels: - # openshift.io/node-selector: "" - # kubernetes.io/os: linux - # annotations: - # openshift.io/cluster-monitoring: "true" - # owner: "namespace owner" - # application-ci: - # You cannot mix list and hashes to define namespaces - namespaces: - - open-cluster-management: - labels: - openshift.io/node-selector: "" - kubernetes.io/os: linux - annotations: - openshift.io/cluster-monitoring: "true" - owner: "namespace owner" - - application-ci: - operatorGroup: true - targetNamespaces: - - application-ci - - other-namespace - - exclude-targetns: - operatorGroup: true - targetNamespaces: - - include-ci - - exclude-og - - totally-exclude-og: - operatorGroup: false - - include-default-og: - operatorGroup: true - - nodes: - - m-m00.cluster.example.tld: - labels: - cluster.ocs.openshift.io/openshift-storage: "" - - m-m01.cluster.example.tld: - labels: - cluster.ocs.openshift.io/openshift-storage: "" - - m-m02.cluster.example.tld: - labels: - cluster.ocs.openshift.io/openshift-storage: "" - - operatorgroupExcludes: - - exclude-og - - subscriptions: - acm: - name: advanced-cluster-management - namespace: open-cluster-management - channel: release-2.4 - csv: advanced-cluster-management.v2.4.1 - - odh: - name: opendatahub-operator - source: community-operators - csv: opendatahub-operator.v1.1.0 - disabled: true - - pipelines: - name: openshift-pipelines-operator-rh - csv: redhat-openshift-pipelines.v1.5.2 - - # - # You can define projects using hashes like so: - # projects: - # hub: - # datacenter: - # You cannot mix list and hashes to define projects. - projects: - - datacenter - - applications: - acm: - name: acm - namespace: open-cluster-management - project: datacenter - path: common/acm - ignoreDifferences: - - group: internal.open-cluster-management.io - kind: ManagedClusterInfo - jsonPointers: - - /spec/loggingCA - pipe: - name: pipelines - namespace: application-ci - project: datacenter - path: charts/datacenter/pipelines - extraValueFiles: - - /values/{{ .Values.global.clusterVersion }}/{{ .Values.global.clusterPlatform }}.yaml - - imperative: - namespace: imperative - # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm - # The default schedule is every 10 minutes: imperative.schedule - # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds - # imagePullPolicy is set to always: imperative.imagePullPolicy - # For additional overrides that apply to the jobs, please refer to - # https://hybrid-cloud-patterns.io/imperative-actions/#additional-job-customizations - jobs: - - name: regional-ca - # ansible playbook to be run - playbook: ansible/playbooks/on-hub-get-regional-ca.yml - # per playbook timeout in seconds - timeout: 234 - # verbosity: "-v" - - managedClusterGroups: - - name: acm-edge - # Optional - Point to a different repo - # repoURL: https://github.com/hybrid-cloud-patterns/mySite.git - # Must contain values-{clustergroupname}.yaml at the top level - targetRevision: main - helmOverrides: - # Values must be strings! - - name: clusterGroup.isHubCluster - value: "false" - acmlabels: - - name: clusterGroup - value: acm-region - - name: acm-provision-edge - targetRevision: main - helmOverrides: - - name: clusterGroup.isHubCluster - value: "false" - clusterPools: - exampleAWSPool: - size: 3 - name: aws-ap - openshiftVersion: 4.10.18 - baseDomain: blueprints.rhecoeng.com - controlPlane: - count: 1 - platform: - aws: - type: m5.xlarge - workers: - count: 0 - platform: - aws: - region: ap-southeast-2 - exampleAzurePool: - name: azure-us - openshiftVersion: 4.10.18 - baseDomain: blueprints.rhecoeng.com - platform: - azure: - baseDomainResourceGroupName: dojo-dns-zones - region: eastus - clusters: - - Two - - three - clusterDeployments: - myFirstCluster: - name: aws-cd-one-w-pool - openshiftVersion: 4.10.18 - baseDomain: blueprints.rhecoeng.com - platform: - aws: - region: ap-southeast-1 - acmlabels: - - name: clusterGroup - value: region - - name: acm-provision-on-deploy - clusterDeployments: - mySecondCluster: - name: aws-cd-two-wo-pool - openshiftVersion: 4.10.18 - baseDomain: blueprints.rhecoeng.com - platform: - aws: - region: ap-southeast-3 - - name: argo-edge - hostedArgoSites: - - name: perth - domain: perth1.beekhof.net - # The default is secret/data/hub/cluster_ - #secretsPath: secret/data/hub/cluster_perth - - name: sydney - domain: syd.beekhof.net - # The default is secret/data/hub/cluster_ - #secretsPath: secret/data/hub/cluster_sydney - helmOverrides: - - name: clusterGroup.isHubCluster - value: "false" diff --git a/common/golang-external-secrets/.github/workflows/update-helm-repo.yml b/common/golang-external-secrets/.github/workflows/update-helm-repo.yml deleted file mode 100644 index c12af2b5..00000000 --- a/common/golang-external-secrets/.github/workflows/update-helm-repo.yml +++ /dev/null @@ -1,29 +0,0 @@ -# This invokes the workflow named 'publish-charts' in the umbrella repo -# It expects to have a secret called CHARTS_REPOS_TOKEN which contains -# the GitHub token that has permissions to invoke workflows and commit code -# inside the umbrella-repo. -# The following fine-grained permissions were used in testing and were limited -# to the umbrella repo only: -# - Actions: r/w -# - Commit statuses: r/w -# - Contents: r/w -# - Deployments: r/w -# - Pages: r/w - -name: vp-patterns/update-helm-repo -on: - push: - tags: - - 'v[0-9]+.[0-9]+.[0-9]+' - -jobs: - helmlint: - uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 - permissions: - contents: read - - update-helm-repo: - needs: [helmlint] - uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 - permissions: read-all - secrets: inherit diff --git a/common/golang-external-secrets/Chart.yaml b/common/golang-external-secrets/Chart.yaml deleted file mode 100644 index 3b3a0133..00000000 --- a/common/golang-external-secrets/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -description: A Helm chart to configure the golang-based external-secrets. -keywords: -- pattern -name: golang-external-secrets -version: 0.1.2 -dependencies: - - name: external-secrets - version: "0.10.0" - repository: "https://charts.external-secrets.io" - #"https://external-secrets.github.io/kubernetes-external-secrets" diff --git a/common/golang-external-secrets/README.md b/common/golang-external-secrets/README.md deleted file mode 100644 index b6feb981..00000000 --- a/common/golang-external-secrets/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Subchart Update - -When updating this sub-chart, please remember to tweak the image tag in values.yaml. -That is because we want to use -ubi images if possible and there is no suffix option, so -we just override the tag with the version + "-ubi" - -## Steps - -1. Edit the version in Chart.yaml -2. Run `helm dependency update .` -3. Run `./update-helm-dependency.sh` -4. Tweak `values.yaml` with the new image versions -5. Run `make test` -6. Commit to Git - -## PRs - -Please send PRs [here](https://github.com/validatedpatterns/common) diff --git a/common/golang-external-secrets/charts/external-secrets-0.10.0.tgz b/common/golang-external-secrets/charts/external-secrets-0.10.0.tgz deleted file mode 100644 index 28d7b4a5..00000000 Binary files a/common/golang-external-secrets/charts/external-secrets-0.10.0.tgz and /dev/null differ diff --git a/common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch b/common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch deleted file mode 100644 index 6545881f..00000000 --- a/common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -up external-secrets/values.yaml.orig external-secrets/values.yaml ---- external-secrets/values.yaml.orig 2023-07-31 15:12:18.815909938 +0200 -+++ external-secrets/values.yaml 2023-07-31 15:32:59.905360226 +0200 -@@ -117,9 +117,11 @@ securityContext: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true -- runAsUser: 1000 -- seccompProfile: -- type: RuntimeDefault -+ # runAsUser: 1000 -+ # Uncomment this once 4.10 is out of scope -+ # seccompProfile: -+ # type: RuntimeDefault -+ seccompProfile: null - - resources: {} - # requests: -@@ -331,9 +333,11 @@ webhook: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true -- runAsUser: 1000 -- seccompProfile: -- type: RuntimeDefault -+ # runAsUser: 1000 -+ seccompProfile: null -+ # Uncomment this once 4.10 is out of scope -+ # seccompProfile: -+ # type: RuntimeDefault - - resources: {} - # requests: -@@ -453,9 +457,11 @@ certController: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true -- runAsUser: 1000 -- seccompProfile: -- type: RuntimeDefault -+ # runAsUser: 1000 -+ seccompProfile: null -+ # Uncomment this once 4.10 is out of scope -+ # seccompProfile: -+ # type: RuntimeDefault - - resources: {} - # requests: diff --git a/common/golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml b/common/golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml deleted file mode 100644 index a8ab9e78..00000000 --- a/common/golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets - namespace: golang-external-secrets - annotations: - kubernetes.io/service-account.name: golang-external-secrets -type: kubernetes.io/service-account-token ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: role-tokenreview-binding - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: golang-external-secrets - namespace: golang-external-secrets diff --git a/common/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-role.yaml b/common/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-role.yaml deleted file mode 100644 index 05ce87a7..00000000 --- a/common/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-role.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and (eq .Values.global.secretStore.backend "kubernetes") (eq .Values.clusterGroup.isHubCluster true) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: {{ .Values.golangExternalSecrets.kubernetes.remoteNamespace }} - name: golang-external-secrets -rules: -- apiGroups: [""] - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - authorization.k8s.io - resources: - - selfsubjectrulesreviews - verbs: - - create -{{- end }} diff --git a/common/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml b/common/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml deleted file mode 100644 index 02128e9a..00000000 --- a/common/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if eq .Values.global.secretStore.backend "kubernetes" }} ---- -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: kubernetes-backend - namespace: golang-external-secrets -spec: - provider: - kubernetes: - remoteNamespace: {{ .Values.golangExternalSecrets.kubernetes.remoteNamespace }} - server: - url: {{ .Values.golangExternalSecrets.kubernetes.server.url }} -{{- if .Values.golangExternalSecrets.caProvider.enabled }} -{{- if .Values.clusterGroup.isHubCluster }} - caProvider: - type: {{ .Values.golangExternalSecrets.caProvider.hostCluster.type }} - name: {{ .Values.golangExternalSecrets.caProvider.hostCluster.name }} - key: {{ .Values.golangExternalSecrets.caProvider.hostCluster.key }} - namespace: {{ .Values.golangExternalSecrets.caProvider.hostCluster.namespace }} -{{- else }} - caProvider: - type: {{ .Values.golangExternalSecrets.caProvider.clientCluster.type }} - name: {{ .Values.golangExternalSecrets.caProvider.clientCluster.name }} - key: {{ .Values.golangExternalSecrets.caProvider.clientCluster.key }} - namespace: {{ .Values.golangExternalSecrets.caProvider.clientCluster.namespace }} -{{- end }} -{{- end }} - auth: - serviceAccount: - name: golang-external-secrets - namespace: golang-external-secrets -{{- end }} diff --git a/common/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml b/common/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml deleted file mode 100644 index 59f55086..00000000 --- a/common/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if or (eq .Values.global.secretStore.backend "vault") (not (hasKey .Values.global.secretStore "backend")) }} ---- -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.{{ .Values.global.hubClusterDomain }} - path: secret - # Version of KV backend - version: v2 -{{- if .Values.golangExternalSecrets.caProvider.enabled }} -{{ if .Values.clusterGroup.isHubCluster }} - caProvider: - type: {{ .Values.golangExternalSecrets.caProvider.hostCluster.type }} - name: {{ .Values.golangExternalSecrets.caProvider.hostCluster.name }} - key: {{ .Values.golangExternalSecrets.caProvider.hostCluster.key }} - namespace: {{ .Values.golangExternalSecrets.caProvider.hostCluster.namespace }} -{{ else }} - caProvider: - type: {{ .Values.golangExternalSecrets.caProvider.clientCluster.type }} - name: {{ .Values.golangExternalSecrets.caProvider.clientCluster.name }} - key: {{ .Values.golangExternalSecrets.caProvider.clientCluster.key }} - namespace: {{ .Values.golangExternalSecrets.caProvider.clientCluster.namespace }} -{{ end }} -{{- end }} - auth: - kubernetes: -{{ if .Values.clusterGroup.isHubCluster }} - mountPath: {{ .Values.golangExternalSecrets.vault.mountPath }} - role: {{ .Values.golangExternalSecrets.rbac.rolename }} -{{ else }} - mountPath: {{ $.Values.global.clusterDomain }} - role: {{ $.Values.global.clusterDomain }}-role -{{ end }} - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" -{{- end }} diff --git a/common/golang-external-secrets/update-helm-dependency.sh b/common/golang-external-secrets/update-helm-dependency.sh deleted file mode 100755 index 492148eb..00000000 --- a/common/golang-external-secrets/update-helm-dependency.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -set -eu - -# Get the version of the dependency and then unquote it -TMPVER=$(sed -e '1,/^version:/ d' "Chart.yaml" | grep "version:" | awk '{ print $2 }') -VERSION=$(eval echo "${TMPVER}") - -# Chart format is external-secrets-0.8.0.tgz -NAME="external-secrets" -TAR="${NAME}-${VERSION}.tgz" -CHARTDIR="charts" - -if [ ! -f "${CHARTDIR}/${TAR}" ]; then - echo "Charts $TAR not found" - exit 1 -fi - -pushd "${CHARTDIR}" -rm -rf "${NAME}" -tar xfz "${TAR}" -pushd "${NAME}" -for i in ../../local-patches/*.patch; do - filterdiff "${i}" -p1 -x 'test/*' | patch -p1 -done -find . -type f -iname '*.orig' -exec rm -f "{}" \; -popd -tar cvfz "${TAR}" "${NAME}" -rm -rf "${NAME}" -popd diff --git a/common/golang-external-secrets/values.yaml b/common/golang-external-secrets/values.yaml deleted file mode 100644 index 62a6673b..00000000 --- a/common/golang-external-secrets/values.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -golangExternalSecrets: - rbac: - rolename: "hub-role" - - kubernetes: - remoteNamespace: "validated-patterns-secrets" - server: - url: 'https://kubernetes.default' - - vault: - mountPath: "hub" - - # This controls how ESO connects to vault - caProvider: - enabled: true # If vault is exposed via a route that is signed by a non internal CA you might want to disable this - hostCluster: - type: ConfigMap - name: kube-root-ca.crt - key: ca.crt - namespace: golang-external-secrets - clientCluster: - type: Secret - name: hub-ca - key: hub-kube-root-ca.crt - namespace: golang-external-secrets - -global: - hubClusterDomain: hub.example.com - clusterDomain: foo.example.com - - secretStore: - backend: "vault" - -clusterGroup: - isHubCluster: true - -external-secrets: - image: - tag: v0.10.0-ubi - webhook: - image: - tag: v0.10.0-ubi - certController: - image: - tag: v0.10.0-ubi diff --git a/common/hashicorp-vault/.github/workflows/update-helm-repo.yml b/common/hashicorp-vault/.github/workflows/update-helm-repo.yml deleted file mode 100644 index c12af2b5..00000000 --- a/common/hashicorp-vault/.github/workflows/update-helm-repo.yml +++ /dev/null @@ -1,29 +0,0 @@ -# This invokes the workflow named 'publish-charts' in the umbrella repo -# It expects to have a secret called CHARTS_REPOS_TOKEN which contains -# the GitHub token that has permissions to invoke workflows and commit code -# inside the umbrella-repo. -# The following fine-grained permissions were used in testing and were limited -# to the umbrella repo only: -# - Actions: r/w -# - Commit statuses: r/w -# - Contents: r/w -# - Deployments: r/w -# - Pages: r/w - -name: vp-patterns/update-helm-repo -on: - push: - tags: - - 'v[0-9]+.[0-9]+.[0-9]+' - -jobs: - helmlint: - uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 - permissions: - contents: read - - update-helm-repo: - needs: [helmlint] - uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 - permissions: read-all - secrets: inherit diff --git a/common/hashicorp-vault/Chart.yaml b/common/hashicorp-vault/Chart.yaml deleted file mode 100644 index 09d48391..00000000 --- a/common/hashicorp-vault/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -description: A Helm chart to configure Hashicorp's vault. -keywords: -- pattern -name: hashicorp-vault -version: 0.1.2 -dependencies: - - name: vault - version: "0.28.1" - repository: "https://helm.releases.hashicorp.com" diff --git a/common/hashicorp-vault/README.md b/common/hashicorp-vault/README.md deleted file mode 100644 index 28362080..00000000 --- a/common/hashicorp-vault/README.md +++ /dev/null @@ -1,29 +0,0 @@ -# VP hashicorp-vault - -## PRs - -Please send PRs [here](https://github.com/validatedpatterns/common) - -## Updating the chart - -1. Edit Chart.yaml with the new version -2. In the hashicorp-vault folder, run: `helm dependency update .` -3. Run `./update-helm-dependency.sh` -4. Check that the images in ./values.yaml are the same version as [upstream](https://github.com/hashicorp/vault-helm/blob/main/values.openshift.yaml) -5. Git add the new chart in `./charts/vault-.tgz` - -## Patches - -### Issue 674 - -In order to be able to use vault ssl we need to patch the helm chart to fix -upstream issue 674. - -Make sure to run "./update-helm-dependency.sh" after you updated the subchart -(by calling helm dependency update .) - -We can drop this local patch when any one the two conditions is true: - -- [1] is fixed in helm and we can require the version that for installs -- [PR#779](https://github.com/hashicorp/vault-helm/pull/779) is merged in vault-helm *and* our minimum supported OCP version - is OCP 4.11 (route subdomain is broken in OCP < 4.11 due to missing [commit](https://github.com/openshift/router/commit/6f730c7cae966f0ed8def50c81d1bf10fe9eb77b) diff --git a/common/hashicorp-vault/charts/vault-0.28.1.tgz b/common/hashicorp-vault/charts/vault-0.28.1.tgz deleted file mode 100644 index ef0f05f5..00000000 Binary files a/common/hashicorp-vault/charts/vault-0.28.1.tgz and /dev/null differ diff --git a/common/hashicorp-vault/local-patches/0001-Allow-per-service-annotations.patch b/common/hashicorp-vault/local-patches/0001-Allow-per-service-annotations.patch deleted file mode 100644 index 796b64cf..00000000 --- a/common/hashicorp-vault/local-patches/0001-Allow-per-service-annotations.patch +++ /dev/null @@ -1,116 +0,0 @@ -diff -up vault/templates/_helpers.tpl.0.26.1 vault/templates/_helpers.tpl ---- vault/templates/_helpers.tpl.0.26.1 2023-11-07 14:06:52.285821136 +0100 -+++ vault/templates/_helpers.tpl 2023-11-07 14:07:45.445038627 +0100 -@@ -738,6 +738,35 @@ Sets extra vault server Service annotati - {{- end -}} - - {{/* -+Sets extra vault server Service internal annotations -+*/}} -+{{- define "vault.service.internal.annotations" -}} -+ {{- if .Values.server.service.internal.annotations }} -+ {{- $tp := typeOf .Values.server.service.internal.annotations }} -+ {{- if eq $tp "string" }} -+ {{- tpl .Values.server.service.internal.annotations . | nindent 4 }} -+ {{- else }} -+ {{- toYaml .Values.server.service.internal.annotations | nindent 4 }} -+ {{- end }} -+ {{- end }} -+{{- end -}} -+{{/* -+Sets extra vault server Service nonha annotations -+Note: We call it 'nonha' as we need to differentiate the "vault.service.annotations" which are -+ applied to all services -+*/}} -+{{- define "vault.service.nonha.annotations" -}} -+ {{- if .Values.server.service.nonha.annotations }} -+ {{- $tp := typeOf .Values.server.service.nonha.annotations }} -+ {{- if eq $tp "string" }} -+ {{- tpl .Values.server.service.nonha.annotations . | nindent 4 }} -+ {{- else }} -+ {{- toYaml .Values.server.service.nonha.annotations | nindent 4 }} -+ {{- end }} -+ {{- end }} -+{{- end -}} -+ -+{{/* - Sets PodSecurityPolicy annotations - */}} - {{- define "vault.psp.annotations" -}} -diff -up vault/templates/server-headless-service.yaml.0.26.1 vault/templates/server-headless-service.yaml ---- vault/templates/server-headless-service.yaml.0.26.1 2023-11-07 14:08:24.302197609 +0100 -+++ vault/templates/server-headless-service.yaml 2023-11-07 14:08:48.707297472 +0100 -@@ -21,6 +21,7 @@ metadata: - vault-internal: "true" - annotations: - {{ template "vault.service.annotations" .}} -+{{ template "vault.service.internal.annotations" .}} - spec: - {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} - {{- if .Values.server.service.ipFamilyPolicy }} -diff -up vault/templates/server-service.yaml.0.26.1 vault/templates/server-service.yaml ---- vault/templates/server-service.yaml.0.26.1 2023-11-07 14:09:43.152520231 +0100 -+++ vault/templates/server-service.yaml 2023-11-07 14:09:55.406570360 +0100 -@@ -20,6 +20,7 @@ metadata: - app.kubernetes.io/managed-by: {{ .Release.Service }} - annotations: - {{ template "vault.service.annotations" .}} -+{{ template "vault.service.nonha.annotations" .}} - spec: - {{- if .Values.server.service.type}} - type: {{ .Values.server.service.type }} -diff -up vault/values.schema.json.0.26.1 vault/values.schema.json ---- vault/values.schema.json.0.26.1 2023-11-07 14:10:35.177733085 +0100 -+++ vault/values.schema.json 2023-11-07 14:11:52.244048399 +0100 -@@ -931,6 +931,28 @@ - } - } - }, -+ "internal": { -+ "type": "object", -+ "properties": { -+ "annotations": { -+ "type": [ -+ "object", -+ "string" -+ ] -+ } -+ } -+ }, -+ "nonha": { -+ "type": "object", -+ "properties": { -+ "annotations": { -+ "type": [ -+ "object", -+ "string" -+ ] -+ } -+ } -+ }, - "annotations": { - "type": [ - "object", -diff -up vault/values.yaml.0.26.1 vault/values.yaml ---- vault/values.yaml.0.26.1 2023-11-07 14:13:00.865329166 +0100 -+++ vault/values.yaml 2023-11-07 14:14:15.318633813 +0100 -@@ -673,6 +673,19 @@ server: - # YAML-formatted multi-line templated string map of the annotations to apply - # to the standby service. - annotations: {} -+ -+ nonha: -+ # Extra annotations for the service definition. This can either be YAML or a -+ # YAML-formatted multi-line templated string map of the annotations to apply -+ # to the service. -+ annotations: {} -+ -+ internal: -+ # Extra annotations for the service definition. This can either be YAML or a -+ # YAML-formatted multi-line templated string map of the annotations to apply -+ # to the service. -+ annotations: {} -+ - # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` - # When disabled, services may select Vault pods not deployed from the chart. - # Does not affect the headless vault-internal service with `ClusterIP: None` diff --git a/common/hashicorp-vault/templates/vault-app.yaml b/common/hashicorp-vault/templates/vault-app.yaml deleted file mode 100644 index bbe16e14..00000000 --- a/common/hashicorp-vault/templates/vault-app.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: vault-link - namespace: vault -spec: - applicationMenu: - section: HashiCorp Vault - imageURL:  - href: 'https://vault-vault.{{ coalesce .Values.global.localClusterDomain .Values.global.hubClusterDomain }}' - location: ApplicationMenu - text: 'Vault' diff --git a/common/hashicorp-vault/update-helm-dependency.sh b/common/hashicorp-vault/update-helm-dependency.sh deleted file mode 100755 index 2551d888..00000000 --- a/common/hashicorp-vault/update-helm-dependency.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -set -eu -o pipefail - -# Get the version of the dependency and then unquote it -TMPVER=$(sed -e '1,/^version:/ d' "Chart.yaml" | grep "version:" | awk '{ print $2 }') -VERSION=$(eval echo "${TMPVER}") - -# Chart format is vault-0.21.0.tgz -NAME="vault" -TAR="${NAME}-${VERSION}.tgz" -CHARTDIR="charts" - -if [ ! -f "${CHARTDIR}/${TAR}" ]; then - echo "Charts $TAR not found" - exit 1 -fi - -pushd "${CHARTDIR}" -rm -rf "${NAME}" -tar xfz "${TAR}" -pushd "${NAME}" -for i in ../../local-patches/*.patch; do - filterdiff "${i}" -p1 -x 'test/*' | patch -p1 -done -find . -type f -iname '*.orig' -exec rm -f "{}" \; -popd -tar cvfz "${TAR}" "${NAME}" -rm -rf "${NAME}" -popd diff --git a/common/hashicorp-vault/values.yaml b/common/hashicorp-vault/values.yaml deleted file mode 100644 index 3b16a951..00000000 --- a/common/hashicorp-vault/values.yaml +++ /dev/null @@ -1,51 +0,0 @@ ---- -global: - openshift: true - localClusterDomain: apps.foo.cluster.com - -vault: - injector: - enabled: false - ui: - enabled: true - server: - extraEnvironmentVars: - VAULT_CACERT: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - VAULT_ADDR: https://vault.vault.svc.cluster.local:8200 - standalone: - config: | - ui = true - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-secret/tls.crt" - tls_key_file = "/vault/userconfig/vault-secret/tls.key" - } - storage "file" { - path = "/vault/data" - } - - # These are automatically mounted in /vault/userconfig/ - extraVolumes: - - type: secret - name: vault-secret - - service: - enabled: true - nonha: - annotations: - service.beta.openshift.io/serving-cert-secret-name: vault-secret - internal: - annotations: - service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal - route: - host: null - enabled: true - tls: - # We cannot use passthrough because you'd be talking to - # https://vault-vault.apps.mcg-hub.blueprints.rhecoeng.com but you'd - # get vault.vault.svc/vault.vault.svc.cluster.local - termination: "reencrypt" - image: - repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.17.3-ubi" diff --git a/common/letsencrypt/.github/workflows/update-helm-repo.yml b/common/letsencrypt/.github/workflows/update-helm-repo.yml deleted file mode 100644 index c12af2b5..00000000 --- a/common/letsencrypt/.github/workflows/update-helm-repo.yml +++ /dev/null @@ -1,29 +0,0 @@ -# This invokes the workflow named 'publish-charts' in the umbrella repo -# It expects to have a secret called CHARTS_REPOS_TOKEN which contains -# the GitHub token that has permissions to invoke workflows and commit code -# inside the umbrella-repo. -# The following fine-grained permissions were used in testing and were limited -# to the umbrella repo only: -# - Actions: r/w -# - Commit statuses: r/w -# - Contents: r/w -# - Deployments: r/w -# - Pages: r/w - -name: vp-patterns/update-helm-repo -on: - push: - tags: - - 'v[0-9]+.[0-9]+.[0-9]+' - -jobs: - helmlint: - uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 - permissions: - contents: read - - update-helm-repo: - needs: [helmlint] - uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486 - permissions: read-all - secrets: inherit diff --git a/common/letsencrypt/.helmignore b/common/letsencrypt/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/common/letsencrypt/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/common/letsencrypt/Chart.yaml b/common/letsencrypt/Chart.yaml deleted file mode 100644 index d8a9810f..00000000 --- a/common/letsencrypt/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v2 -name: letsencrypt -description: A Helm chart to add letsencrypt support to Validated Patterns. - -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "1.16.0" diff --git a/common/letsencrypt/README.md b/common/letsencrypt/README.md deleted file mode 100644 index ded97205..00000000 --- a/common/letsencrypt/README.md +++ /dev/null @@ -1,72 +0,0 @@ -# Letsencrypt support for Validated patterns - -This is an *EXPERIMENTAL* and *UNSUPPORTED* chart to enable letsencrypt support in the pattern. -Currently the only supported cloud for this is AWS. - -In order to enable this chart in your patterns, please add and edit the following lines to `values-AWS.yaml`: - - letsencrypt: - region: eu-central-1 # region of the cluster - server: https://acme-v02.api.letsencrypt.org/directory - # staging URL - # server: https://acme-staging-v02.api.letsencrypt.org/directory - email: foo@bar.it - - clusterGroup: - applications: - letsencrypt: - name: letsencrypt - namespace: letsencrypt - project: default - path: common/letsencrypt - -Once the above is enabled in a pattern, a certain amount of time (~15/20 minutes or so) is needed for all the cluster operators to settle, all the HTTPS routes will have a wildcard certificate signed by letsencrypt. By default also the API endpoint will use a certificate signed by letsencrypt. - -## PRs - -Please send PRs [here](https://github.com/validatedpatterns/common) - -## Limitations - -Please be aware of the following gotchas when using this chart: - -1. Once the API certificate has been replaced with the letsencrypt one, the `oc` commands might fail with x509 unknown certificate authority errors. - You need to remove the previous CA from the kubeconfig file. Run: `oc config set-cluster --certificate-authority="/dev/null" --embed-certs` -2. When you switch to non-staging letsencrypt certificates, things might fail if you asked for too many certificates over the last few days. -3. The cluster takes ~20-30 mins to fully settle when both the API endpoint and the default ingress certificates are implemented - -## Implementation - -This chart creates a Cloud Credential that is allowed to write and read DNS entries via Route53 in AWS. That credential is then used by cert-manager to prove ownership of the DNS zone and answer the ACME DNS01 challenges. -We ask for a single wildcard certificate for the default Ingress *.apps.domain and one non-wildcard certificate for the API endpoint api.domain. -We use Argo's Server-Side Apply feature to patch in the Ingress Controller and the API endpoint certificates. -Currently we also patch the main cluster-wide Argo instance to set the tls route to `reencrypt` in order have a proper cert there. Once issue 297 in the gitops-operator repository is fixed, we can drop that. - -## Parameters - -### global parameters - -This section contains the global parameters consumed by this chart - -| Name | Description | Value | -| --------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------ | -| `global.localClusterDomain` | String containing the domain including the apps. prefix. Gets set by the Validated Pattern framework | `apps.example.com` | - -### letsencrypt parameters - -This section contains all the parameters for the letsencrypt -chart in order to request CA signed certificates in a Validated Pattern - -| Name | Description | Value | -| -------------------------------- | --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | -| `letsencrypt.enabled` | Boolean to enable this feature and request a wildcard cert for the default Infress (*.apps.domain) (defaults to True) | `true` | -| `letsencrypt.api_endpoint` | Boolean to enable letsencrypt certs on the API endpoint too (defaults to True) | `true` | -| `letsencrypt.region` | String that defines the region used by the route53/dns01 resolver in cert-manager (required) | `eu-central-1` | -| `letsencrypt.email` | String containing the email used when requesting certificates to letsencrypt (required) | `test@example.com` | -| `letsencrypt.server` | String containing the letsencrypt ACME URL (Defaults to the staging server) | `https://acme-staging-v02.api.letsencrypt.org/directory` | -| `letsencrypt.organizations` | List of organization names to be put in a certificate (Defaults to [hybrid-cloud-patterns.io]) | `["hybrid-cloud-patterns.io"]` | -| `letsencrypt.usages` | List of certificate uses. See API cert-manager.io/v1.KeyUsage (Defaults to [server auth]) | `["server auth"]` | -| `letsencrypt.duration` | Duration of the requested letsencrypt certificates (Defaults to 168h0m0s) | `168h0m0s` | -| `letsencrypt.renewBefore` | How long before expiration date should the certs be renewed (Defaults to 28h0m0s) | `28h0m0s` | -| `letsencrypt.nameservers` | List of DNS server (ip:port strings) to be used when doing DNS01 challenges (Defaults to [8.8.8.8:53, 1.1.1.1:53]) | `["8.8.8.8:53","1.1.1.1:53"]` | -| `letsencrypt.certmanagerChannel` | String the channel to install cert-manager from (Defaults to "stable-v1") | `stable-v1` | diff --git a/common/letsencrypt/templates/api-cert.yaml b/common/letsencrypt/templates/api-cert.yaml deleted file mode 100644 index ed9e7c0e..00000000 --- a/common/letsencrypt/templates/api-cert.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{ if and (.Values.letsencrypt.enabled) (.Values.letsencrypt.api_endpoint) }} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: api-validated-patterns-cert - namespace: openshift-config - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: api-validated-patterns-letsencrypt-cert - duration: {{ .Values.letsencrypt.duration }} - renewBefore: {{ .Values.letsencrypt.renewBefore }} - commonName: 'api.{{ $.Values.global.localClusterDomain | replace "apps." "" }}' - usages: - {{- range .Values.letsencrypt.usages }} - - {{ . }} - {{- end }} - dnsNames: - - api.{{ $.Values.global.localClusterDomain | replace "apps." "" }} - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - {{- range .Values.letsencrypt.organizations }} - - {{ . }} - {{- end }} -{{- end }} diff --git a/common/letsencrypt/templates/cert-manager-installation.yaml b/common/letsencrypt/templates/cert-manager-installation.yaml deleted file mode 100644 index 59375b00..00000000 --- a/common/letsencrypt/templates/cert-manager-installation.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{ if .Values.letsencrypt.enabled }} ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: cert-manager-operator -spec: - channel: "{{ .Values.letsencrypt.certmanagerChannel }}" - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: cert-manager-operator - namespace: cert-manager-operator -spec: - targetNamespaces: - - cert-manager-operator ---- -apiVersion: operator.openshift.io/v1alpha1 -kind: CertManager -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - managementState: "Managed" - unsupportedConfigOverrides: - # Here's an example to supply custom DNS settings. - controller: - args: - - "--dns01-recursive-nameservers={{ with index .Values.letsencrypt.nameservers 0 }}{{ . }}{{- end }},{{ with index .Values.letsencrypt.nameservers 1 }}{{ . }}{{- end }}" - - "--dns01-recursive-nameservers-only" -{{- end }} diff --git a/common/letsencrypt/templates/credentials-request.yaml b/common/letsencrypt/templates/credentials-request.yaml deleted file mode 100644 index 27aad295..00000000 --- a/common/letsencrypt/templates/credentials-request.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{ if .Values.letsencrypt.enabled }} -apiVersion: cloudcredential.openshift.io/v1 -kind: CredentialsRequest -metadata: - name: letsencrypt-cert-manager-dns - namespace: openshift-cloud-credential-operator - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - providerSpec: - apiVersion: cloudcredential.openshift.io/v1 - kind: AWSProviderSpec - statementEntries: - - action: - - 'route53:ChangeResourceRecordSets' - - 'route53:GetChange' - - 'route53:ListHostedZonesByName' - - 'route53:ListHostedZones' - effect: Allow - resource: '*' - secretRef: - name: cert-manager-dns-credentials - namespace: cert-manager -{{- end }} diff --git a/common/letsencrypt/templates/default-routes.yaml b/common/letsencrypt/templates/default-routes.yaml deleted file mode 100644 index 8a01db6a..00000000 --- a/common/letsencrypt/templates/default-routes.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{ if .Values.letsencrypt.enabled }} ---- -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - routeAdmission: - wildcardPolicy: WildcardsAllowed - defaultCertificate: - name: lets-encrypt-wildcart-cert-tls -# Patch the cluster-wide argocd instance so it uses the ingress tls cert ---- -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: openshift-gitops - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - server: - route: - enabled: true - tls: - termination: reencrypt -{{ if .Values.letsencrypt.api_endpoint }} ---- -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - servingCerts: - namedCertificates: - - names: - - api.{{ $.Values.global.localClusterDomain | replace "apps." "" }} - servingCertificate: - name: api-validated-patterns-letsencrypt-cert -{{- end }} -{{- end }} diff --git a/common/letsencrypt/templates/issuer.yaml b/common/letsencrypt/templates/issuer.yaml deleted file mode 100644 index 1370500f..00000000 --- a/common/letsencrypt/templates/issuer.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{ if .Values.letsencrypt.enabled }} -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: validated-patterns-issuer - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - acme: - server: {{ .Values.letsencrypt.server }} - email: {{ .Values.letsencrypt.email }} - privateKeySecretRef: - name: validated-patterns-issuer-account-key - solvers: - - selector: {} - dns01: - route53: - region: {{ .Values.letsencrypt.region }} - accessKeyIDSecretRef: - name: cert-manager-dns-credentials - key: aws_access_key_id - secretAccessKeySecretRef: - name: cert-manager-dns-credentials - key: aws_secret_access_key -{{- end }} diff --git a/common/letsencrypt/templates/namespaces.yaml b/common/letsencrypt/templates/namespaces.yaml deleted file mode 100644 index a4f65fe5..00000000 --- a/common/letsencrypt/templates/namespaces.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{ if .Values.letsencrypt.enabled }} -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-operator -spec: ---- -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager -spec: ---- -apiVersion: v1 -kind: Namespace -metadata: - name: letsencrypt -spec: ---- -{{- end }} diff --git a/common/letsencrypt/templates/wildcard-cert.yaml b/common/letsencrypt/templates/wildcard-cert.yaml deleted file mode 100644 index e7b82480..00000000 --- a/common/letsencrypt/templates/wildcard-cert.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{ if .Values.letsencrypt.enabled }} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: lets-encrypt-certs - namespace: openshift-ingress - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: lets-encrypt-wildcart-cert-tls - duration: {{ .Values.letsencrypt.duration }} - renewBefore: {{ .Values.letsencrypt.renewBefore }} - commonName: '*.{{ $.Values.global.localClusterDomain }}' - usages: - {{- range .Values.letsencrypt.usages }} - - {{ . }} - {{- end }} - dnsNames: - - '*.{{ $.Values.global.localClusterDomain }}' - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - {{- range .Values.letsencrypt.organizations }} - - {{ . }} - {{- end }} -{{- end }} diff --git a/common/letsencrypt/values.yaml b/common/letsencrypt/values.yaml deleted file mode 100644 index a95957b8..00000000 --- a/common/letsencrypt/values.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# NOTE: This is currently an experimental/unsupported chart! -# Default values for the experimental letsencrypt chart -# Generate the README.md sections using https://github.com/bitnami-labs/readme-generator-for-helm -# -## @section global parameters -## @descriptionStart This section contains the global parameters consumed by this chart -## @descriptionEnd -global: - ## @param global.localClusterDomain String containing the domain including the apps. prefix. Gets set by the Validated Pattern framework - localClusterDomain: "apps.example.com" - -## @section letsencrypt parameters -## @descriptionStart This section contains all the parameters for the letsencrypt -## chart in order to request CA signed certificates in a Validated Pattern -## @descriptionEnd -letsencrypt: - # By default if you include this chart you enable the letsencrypt charts - # on both the *.apps. ingress and on the API endpoint - ## @param letsencrypt.enabled Boolean to enable this feature and request a wildcard cert for the default Infress (*.apps.domain) (defaults to True) - enabled: true - ## @param letsencrypt.api_endpoint Boolean to enable letsencrypt certs on the API endpoint too (defaults to True) - api_endpoint: true - - # These two lines need tweaking for every deployment. @example.com emails - # will be rejected by letsencrypt - ## @param letsencrypt.region String that defines the region used by the route53/dns01 resolver in cert-manager (required) - region: eu-central-1 - ## @param letsencrypt.email String containing the email used when requesting certificates to letsencrypt (required) - email: test@example.com - - # By default we use the staging URL to avoid any ratelimiting while testing - # To switch to the production certificates signed by a recognized CA, please - # switch the comments around in the two following lines - ## @param letsencrypt.server String containing the letsencrypt ACME URL (Defaults to the staging server) - server: https://acme-staging-v02.api.letsencrypt.org/directory - # server: https://acme-v02.api.letsencrypt.org/directory - - # These are only for metadata in the certificates - ## @param letsencrypt.organizations List of organization names to be put in a certificate (Defaults to [hybrid-cloud-patterns.io]) - organizations: - - hybrid-cloud-patterns.io - ## @param letsencrypt.usages List of certificate uses. See API cert-manager.io/v1.KeyUsage (Defaults to [server auth]) - usages: - - server auth - - ## @param letsencrypt.duration Duration of the requested letsencrypt certificates (Defaults to 168h0m0s) - duration: "168h0m0s" - ## @param letsencrypt.renewBefore How long before expiration date should the certs be renewed (Defaults to 28h0m0s) - renewBefore: "28h0m0s" - - # These two are needed because the DNS01 ACME solver needs outside DNS - # servers and won't really work with openshift's internal split-view DNS servers - # https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check - ## @param letsencrypt.nameservers List of DNS server (ip:port strings) to be used when doing DNS01 challenges (Defaults to [8.8.8.8:53, 1.1.1.1:53]) - nameservers: - - 8.8.8.8:53 - - 1.1.1.1:53 - - ## @param letsencrypt.certmanagerChannel String the channel to install cert-manager from (Defaults to "stable-v1") - certmanagerChannel: "stable-v1" diff --git a/common/operator-install/Chart.yaml b/common/operator-install/Chart.yaml deleted file mode 100644 index 74adcf8f..00000000 --- a/common/operator-install/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -description: A Helm chart to build and deploy a Cloud Pattern via the patterns operator -keywords: -- pattern -name: pattern-install -version: 0.0.1 diff --git a/common/operator-install/README.md b/common/operator-install/README.md deleted file mode 100644 index a333860e..00000000 --- a/common/operator-install/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# Update CRD - -In order to update the CRD, copy the following file from the last released patterns operator version: -`cp -v patterns-operator/config/crd/bases/gitops.hybrid-cloud-patterns.io_patterns.yaml ./crds/` diff --git a/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml b/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml deleted file mode 100644 index b3d769bb..00000000 --- a/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml +++ /dev/null @@ -1,245 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - name: patterns.gitops.hybrid-cloud-patterns.io -spec: - group: gitops.hybrid-cloud-patterns.io - names: - kind: Pattern - listKind: PatternList - plural: patterns - shortNames: - - patt - singular: pattern - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.lastStep - name: Step - priority: 1 - type: string - - jsonPath: .status.lastError - name: Error - priority: 2 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: Pattern is the Schema for the patterns API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PatternSpec defines the desired state of Pattern - properties: - analyticsUUID: - description: Analytics UUID. Leave empty to autogenerate a random - one. Not PII information - type: string - clusterGroupName: - type: string - experimentalCapabilities: - description: Comma separated capabilities to enable certain experimental - features - type: string - extraParameters: - description: |- - .Name is dot separated per the helm --set syntax, such as: - global.something.field - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - extraValueFiles: - description: URLs to additional Helm parameter files - items: - type: string - type: array - gitOpsSpec: - properties: - manualSync: - description: 'Require manual intervention before Argo will sync - new content. Default: False' - type: boolean - type: object - gitSpec: - properties: - hostname: - description: Optional. FQDN of the git server if automatic parsing - from TargetRepo is broken - type: string - originRepo: - description: Upstream git repo containing the pattern to deploy. - Used when in-cluster fork to point to the upstream pattern repository - type: string - originRevision: - description: Branch, tag or commit in the upstream git repository. - Does not support short-sha's. Default to HEAD - type: string - pollInterval: - default: 180 - description: 'Interval in seconds to poll for drifts between origin - and target repositories. Default: 180 seconds' - type: integer - targetRepo: - description: Git repo containing the pattern to deploy. Must use - https/http or, for ssh, git@server:foo/bar.git - type: string - targetRevision: - description: 'Branch, tag, or commit to deploy. Does not support - short-sha''s. Default: HEAD' - type: string - tokenSecret: - description: |- - Optional. K8s secret name where the info for connecting to git can be found. The supported secrets are modeled after the - private repositories in argo (https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories) - currently ssh and username+password are supported - type: string - tokenSecretNamespace: - description: Optional. K8s secret namespace where the token for - connecting to git can be found - type: string - required: - - targetRepo - type: object - multiSourceConfig: - properties: - clusterGroupChartGitRevision: - default: main - description: |- - The git reference when deploying the clustergroup helm chart directly from a git repo - Defaults to 'main'. (Only used when developing the clustergroup helm chart) - type: string - clusterGroupChartVersion: - description: Which chart version for the clustergroup helm chart. - Defaults to "0.8.*" - type: string - clusterGroupGitRepoUrl: - description: |- - The url when deploying the clustergroup helm chart directly from a git repo - Defaults to '' which means not used (Only used when developing the clustergroup helm chart) - type: string - enabled: - default: true - description: (EXPERIMENTAL) Enable multi-source support when deploying - the clustergroup argo application - type: boolean - helmRepoUrl: - description: The helm chart url to fetch the helm charts from - in order to deploy the pattern. Defaults to https://charts.validatedpatterns.io/ - type: string - type: object - required: - - clusterGroupName - - gitSpec - type: object - status: - description: PatternStatus defines the observed state of Pattern - properties: - analyticsSent: - default: 0 - type: integer - analyticsUUID: - type: string - appClusterDomain: - type: string - applications: - items: - description: |- - PatternApplicationInfo defines the Applications - Status for the Pattern. - This structure is part of the PatternStatus as an array - The Application Status will be included as part of the Observed state of Pattern - properties: - healthMessage: - type: string - healthStatus: - type: string - name: - type: string - namespace: - type: string - syncStatus: - type: string - type: object - type: array - clusterDomain: - type: string - clusterID: - type: string - clusterName: - type: string - clusterPlatform: - type: string - clusterVersion: - type: string - conditions: - items: - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - lastUpdateTime: - description: The last time this condition was updated. - format: date-time - type: string - message: - description: A human readable message indicating details about - the transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of deployment condition. - type: string - required: - - lastUpdateTime - - status - - type - type: object - type: array - lastError: - description: Last error encountered by the pattern - type: string - lastStep: - description: Last action related to the pattern - type: string - path: - type: string - version: - description: Number of updates to the pattern - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/common/operator-install/templates/pattern-operator-configmap.yaml b/common/operator-install/templates/pattern-operator-configmap.yaml deleted file mode 100644 index 17b7a026..00000000 --- a/common/operator-install/templates/pattern-operator-configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: patterns-operator-config - namespace: openshift-operators -data: - gitops.catalogSource: {{ .Values.main.gitops.operatorSource }} - gitops.channel: {{ .Values.main.gitops.channel }} - - # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace - # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan - # gitops.ManualSync: GitOpsDefaultManualSync - # gitops.name: GitOpsDefaultPackageName diff --git a/common/operator-install/templates/pattern.yaml b/common/operator-install/templates/pattern.yaml deleted file mode 100644 index 3eda9482..00000000 --- a/common/operator-install/templates/pattern.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1 -kind: Pattern -metadata: - name: {{ .Release.Name }} - namespace: openshift-operators -spec: - clusterGroupName: {{ .Values.main.clusterGroupName }} - gitSpec: -{{- if .Values.main.git.repoUpstreamURL }} - originRepo: {{ .Values.main.git.repoUpstreamURL }} -{{- end }} {{/* if .Values.main.git.repoUpstreamURL */}} - targetRepo: {{ .Values.main.git.repoURL }} - targetRevision: {{ .Values.main.git.revision }} -{{- if and .Values.main.tokenSecret .Values.main.tokenSecretNamespace }} - tokenSecret: {{ .Values.main.tokenSecret }} - tokenSecretNamespace: {{ .Values.main.tokenSecretNamespace }} -{{- end }} {{/* if and .Values.main.tokenSecret .Values.main.tokenSecretNamespace */}} - multiSourceConfig: - enabled: {{ .Values.main.multiSourceConfig.enabled }} -{{- if .Values.main.multiSourceConfig.helmRepoUrl }} - helmRepoUrl: {{ .Values.main.multiSourceConfig.helmRepoUrl }} -{{- end }} {{/* if .Values.main.multiSourceConfig.helmRepoUrl */}} -{{- if .Values.main.analyticsUUID }} - analyticsUUID: {{ .Values.main.analyticsUUID }} -{{- end }} {{/* if .Values.main.analyticsUUID */}} -{{- if .Values.main.experimentalCapabilities }} - experimentalCapabilities: {{ .Values.main.experimentalCapabilities }} -{{- end }} {{/* if .Values.main.experimentalCapabilities */}} -{{- if .Values.main.extraParameters }} - extraParameters: -{{- range .Values.main.extraParameters }} - - name: {{ .name | quote }} - value: {{ .value | quote }} -{{- end }} {{/* range .Values.main.extraParameters */}} -{{- end }} {{/* if .Values.main.extraParameters */}} -{{- if .Values.global.extraValueFiles }} - extraValueFiles: -{{- range .Values.global.extraValueFiles }} - - {{ . | quote }} -{{- end }} {{/* range .Values.global.extraValueFiles */}} -{{- end }} {{/* if .Values.global.extraValueFiles */}} diff --git a/common/operator-install/templates/subscription.yaml b/common/operator-install/templates/subscription.yaml deleted file mode 100644 index e8285cae..00000000 --- a/common/operator-install/templates/subscription.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: patterns-operator - namespace: openshift-operators - labels: - operators.coreos.com/patterns-operator.openshift-operators: "" -spec: - channel: {{ .Values.main.patternsOperator.channel }} - installPlanApproval: {{ .Values.main.patternsOperator.installPlanApproval }} - name: patterns-operator - source: {{ .Values.main.patternsOperator.source }} - sourceNamespace: {{ .Values.main.patternsOperator.sourceNamespace }} - {{- if .Values.main.patternsOperator.startingCSV }} - startingCSV: {{ .Values.main.patternsOperator.startingCSV }} - {{- end }} diff --git a/common/operator-install/values.yaml b/common/operator-install/values.yaml deleted file mode 100644 index 62c9943a..00000000 --- a/common/operator-install/values.yaml +++ /dev/null @@ -1,38 +0,0 @@ -global: - extraValueFiles: [] - -main: - git: - # Uncommenting this will set the `originRepo` with the below value - # when `originRepo` is set, an in-cluster gitea will automatically be spawned. - # In this case `originRepo` will point to the upstream repository and `targetRepo` - # will point to the internal in-cluster gitea mirror - # repoUpstreamURL: https://github.com/validatedpatterns/multicloud-gitops - repoURL: https://github.com/pattern-clone/mypattern - revision: main - - gitops: - channel: "gitops-1.13" - operatorSource: redhat-operators - - multiSourceConfig: - enabled: false - # helmRepoUrl: registry.internal.network/helm - - # String to enable certain experimental capabilities in the operator and the - # framework. Not needed unless you know exactly what you're doing. - experimentalCapabilities: "" - - patternsOperator: - channel: fast - source: community-operators - installPlanApproval: Automatic - sourceNamespace: openshift-marketplace - startingCSV: null - - clusterGroupName: default - - # If you are using a private repository define the secret where - # credentials to access the private repository are - # tokenSecret: - # tokenSecretNamespace: diff --git a/common/reference-output.yaml b/common/reference-output.yaml deleted file mode 100644 index 1eef9745..00000000 --- a/common/reference-output.yaml +++ /dev/null @@ -1,119 +0,0 @@ ---- -# Source: pattern-install/templates/argocd/namespace.yaml -# Pre-create so we can create our argo app for keeping subscriptions in sync -# Do it here so that we don't try to sync it in the future -apiVersion: v1 -kind: Namespace -metadata: - name: openshift-gitops ---- -# Source: pattern-install/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: manuela-ci - labels: - manuela-role: pipeline - app.kubernetes.io/instance: manuela ---- -# Source: pattern-install/templates/pipeline/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: pipeline - namespace: manuela-ci -secrets: -- name: git-repo-credentials -- name: image-registry-credentials ---- -# Source: pattern-install/templates/secrets/s3-secret.yaml -kind: Secret -apiVersion: v1 -metadata: - name: s3-secret -type: Opaque -data: - # Pre-create as part of the initial 'helm install' chart - # Create a file with the following: - # s3.accessKey: KEY - # s3.secretKey: secret key - #application.properties: base64 encrypted value of the above file - # This should live in the values-secret.yaml file - application.properties: BASE64STRING ---- -# Source: pattern-install/templates/secrets/secret-git-repo-credentials.yaml -apiVersion: v1 -kind: Secret -metadata: - name: git-repo-credentials - namespace: manuela-ci - annotations: - # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/ - tekton.dev/git-0: https://github.com/hybrid-cloud-patterns -type: kubernetes.io/basic-auth -stringData: - username: STRING - password: STRING ---- -# Source: pattern-install/templates/secrets/secret-image-registry-credentials.yaml -apiVersion: v1 -kind: Secret -metadata: - name: openshift-registry-credentials - namespace: manuela-ci - annotations: - # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/ - tekton.dev/docker-0: "https://" -type: kubernetes.io/basic-auth -stringData: - username: STRING - password: STRING ---- -# Source: pattern-install/templates/argocd/application.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: common-example - namespace: openshift-gitops -spec: - destination: - name: in-cluster - namespace: common-example - project: default - source: - repoURL: https://github.com/beekhof/common.git - targetRevision: main - path: common/clustergroup - helm: - valueFiles: - - "https://github.com/beekhof/patterns/raw/main/values-global.yaml" - - "https://github.com/beekhof/patterns/raw/main/values-example.yaml" - # Track the progress of https://github.com/argoproj/argo-cd/pull/6280 - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.valuesDirectoryURL - value: https://github.com/beekhof/patterns/raw/main - - name: global.pattern - value: common - syncPolicy: - automated: {} ---- -# Source: pattern-install/templates/argocd/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: "" -spec: - channel: gitops-1.13 - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/common/requirements.yml b/common/requirements.yml new file mode 100644 index 00000000..cb11ca24 --- /dev/null +++ b/common/requirements.yml @@ -0,0 +1,4 @@ +--- +# Define Ansible collection requirements here +collections: + - name: git+https://github.com/validatedpatterns/rhvp.cluster_utils.git,v1 diff --git a/common/scripts/display-secrets-info.sh b/common/scripts/display-secrets-info.sh index 124a3454..d9915855 100755 --- a/common/scripts/display-secrets-info.sh +++ b/common/scripts/display-secrets-info.sh @@ -10,10 +10,6 @@ SCRIPT=$(get_abs_filename "$0") SCRIPTPATH=$(dirname "${SCRIPT}") COMMONPATH=$(dirname "${SCRIPTPATH}") PATTERNPATH=$(dirname "${COMMONPATH}") -ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible" -PLAYBOOKPATH="${ANSIBLEPATH}/playbooks" - -export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg" if [ "$#" -ge 1 ]; then export VALUES_SECRET=$(get_abs_filename "${1}") @@ -27,4 +23,4 @@ fi PATTERN_NAME=$(basename "`pwd`") -ansible-playbook -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" -e secrets_backing_store="${SECRETS_BACKING_STORE}" -e override_no_log=false "${PLAYBOOKPATH}/process_secrets/display_secrets_info.yml" +ansible-playbook -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" -e secrets_backing_store="${SECRETS_BACKING_STORE}" -e override_no_log=false "rhvp.cluster_utils.display_secrets_info" diff --git a/common/scripts/lint.sh b/common/scripts/lint.sh deleted file mode 100755 index 3a3d8e6f..00000000 --- a/common/scripts/lint.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -# helm template (even with --dry-run) can interact with the cluster -# This won't protect us if a user has ~/.kube -# Also call helm template with a non existing --kubeconfig while we're at it -unset KUBECONFIG -target=$1 -shift -name=$(echo $target | sed -e s@/@-@g -e s@charts-@@) - -# Test the charts as the pattern would drive them -INPUTS=$(ls -1 common/examples/*.yaml | grep -v secret) -for input in $INPUTS; do - helm lint $* -f $input $target - if [ $? != 0 ]; then exit 1; fi -done - -exit 0 diff --git a/common/scripts/load-k8s-secrets.sh b/common/scripts/load-k8s-secrets.sh index 33c2f9a5..9219f92f 100755 --- a/common/scripts/load-k8s-secrets.sh +++ b/common/scripts/load-k8s-secrets.sh @@ -10,10 +10,7 @@ SCRIPT=$(get_abs_filename "$0") SCRIPTPATH=$(dirname "${SCRIPT}") COMMONPATH=$(dirname "${SCRIPTPATH}") PATTERNPATH=$(dirname "${COMMONPATH}") -ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible" -PLAYBOOKPATH="${ANSIBLEPATH}/playbooks" -export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg" PATTERN_NAME=${1:-$(basename "`pwd`")} -ansible-playbook -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" "${PLAYBOOKPATH}/k8s_secrets/k8s_secrets.yml" +ansible-playbook -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" "rhvp.cluster_utils.k8s_secrets" diff --git a/common/scripts/pattern-util.sh b/common/scripts/pattern-util.sh index 8fa4a26f..cb7fc873 100755 --- a/common/scripts/pattern-util.sh +++ b/common/scripts/pattern-util.sh @@ -71,22 +71,26 @@ fi # $HOME is mounted to /root because the UID in the container is 0 and that's where SSH looks for credentials podman run -it --rm --pull=newer \ - --security-opt label=disable \ - -e EXTRA_HELM_OPTS \ - -e EXTRA_PLAYBOOK_OPTS \ - -e VALUES_SECRET \ - -e KUBECONFIG \ - -e K8S_AUTH_HOST \ - -e K8S_AUTH_VERIFY_SSL \ - -e K8S_AUTH_SSL_CA_CERT \ - -e K8S_AUTH_USERNAME \ - -e K8S_AUTH_PASSWORD \ - -e K8S_AUTH_TOKEN \ - ${PKI_HOST_MOUNT_ARGS} \ - -v "${HOME}":"${HOME}" \ - -v "${HOME}":/pattern-home \ - ${PODMAN_ARGS} \ - ${EXTRA_ARGS} \ - -w "$(pwd)" \ - "$PATTERN_UTILITY_CONTAINER" \ - $@ + --security-opt label=disable \ + -e EXTRA_HELM_OPTS \ + -e EXTRA_PLAYBOOK_OPTS \ + -e TARGET_ORIGIN \ + -e NAME \ + -e TOKEN_SECRET \ + -e TOKEN_NAMESPACE \ + -e VALUES_SECRET \ + -e KUBECONFIG \ + -e K8S_AUTH_HOST \ + -e K8S_AUTH_VERIFY_SSL \ + -e K8S_AUTH_SSL_CA_CERT \ + -e K8S_AUTH_USERNAME \ + -e K8S_AUTH_PASSWORD \ + -e K8S_AUTH_TOKEN \ + ${PKI_HOST_MOUNT_ARGS} \ + -v "${HOME}":"${HOME}" \ + -v "${HOME}":/pattern-home \ + ${PODMAN_ARGS} \ + ${EXTRA_ARGS} \ + -w "$(pwd)" \ + "$PATTERN_UTILITY_CONTAINER" \ + $@ diff --git a/common/scripts/process-secrets.sh b/common/scripts/process-secrets.sh index 509d6d71..47eff7fa 100755 --- a/common/scripts/process-secrets.sh +++ b/common/scripts/process-secrets.sh @@ -10,11 +10,8 @@ SCRIPT=$(get_abs_filename "$0") SCRIPTPATH=$(dirname "${SCRIPT}") COMMONPATH=$(dirname "${SCRIPTPATH}") PATTERNPATH=$(dirname "${COMMONPATH}") -ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible" -PLAYBOOKPATH="${ANSIBLEPATH}/playbooks" -export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg" PATTERN_NAME=${1:-$(basename "`pwd`")} SECRETS_BACKING_STORE="$($SCRIPTPATH/determine-secretstore-backend.sh)" -ansible-playbook -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" -e secrets_backing_store="${SECRETS_BACKING_STORE}" "${PLAYBOOKPATH}/process_secrets/process_secrets.yml" +ansible-playbook -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" -e secrets_backing_store="${SECRETS_BACKING_STORE}" "rhvp.cluster_utils.process_secrets" diff --git a/common/scripts/test.sh b/common/scripts/test.sh deleted file mode 100755 index a2aae9f4..00000000 --- a/common/scripts/test.sh +++ /dev/null @@ -1,129 +0,0 @@ -#!/bin/bash - -# helm template (even with --dry-run) can interact with the cluster -# This won't protect us if a user has ~/.kube -# Also call helm template with a non existing --kubeconfig while we're at it -unset KUBECONFIG -target=$1 -name=$(echo $1 | sed -e s@/@-@g -e s@charts-@@) - -function doTest() { - TEST_VARIANT=$1 - CHART_OPTS="$2" - TESTDIR=tests - TEST=${name}-${TEST_VARIANT} - FILENAME=${TEST}.expected.yaml - OUTPUT=${TESTDIR}/.${FILENAME} - REFERENCE=${TESTDIR}/${FILENAME} - - echo -e "\nTesting $name chart (${TEST_VARIANT}) with opts [$CHART_OPTS]" >&2 - helm template --kubeconfig /tmp/doesnotexistever $target --name-template $name ${CHART_OPTS} > ${OUTPUT} - rc=$? - if [ $rc -ne 0 ]; then - echo "FAIL on helm template $target --name-template $name ${CHART_OPTS}" >&2 - exit 1 - fi - if [ ! -e ${REFERENCE} ]; then - cp ${OUTPUT} ${REFERENCE} - git add ${REFERENCE} - echo -e "\n\n#### Created test output\007\n\n\007" >&2 - fi - diff -u ${REFERENCE} ${OUTPUT} - rc=$? - if [ $rc = 0 ]; then - rm -f ${OUTPUT} - echo "PASS" >&2 - elif [ -z $GITHUB_ACTIONS ]; then - read -p "Are these changes expected? [y/N] " EXPECTED - case $EXPECTED in - y*|Y*) - echo "Updating ${REFERENCE}" - cp ${OUTPUT} ${REFERENCE} - rm -f ${OUTPUT} - rc=0 - ;; - *) ;; - esac - fi - if [ $rc != 0 ]; then - echo "FAIL" >&2 - exit $rc - fi -} - -function doTestCompare() { - TEST_VARIANT="differences" - TESTDIR=tests - TEST=${name} - FILENAME=${TEST}.expected.yaml - OUTPUT=${TESTDIR}/.${FILENAME} - REFERENCE=${TESTDIR}/${FILENAME} - - echo -e "\nTesting $name chart (${TEST_VARIANT})" >&2 - # Another method of finding variables missing from values.yaml, eg. - # - name: -datacenter - # + name: pattern-name-datacenter - - TEST=${name} - FILENAME=${TEST}.expected.diff - OUTPUT=${TESTDIR}/.${FILENAME} - REFERENCE=${TESTDIR}/${FILENAME} - - # Drop the date from the diff output, it will not be stable - diff -u ${TESTDIR}/${name}-naked.expected.yaml ${TESTDIR}/${name}-normal.expected.yaml | sed 's/\.yaml.*20[0-9][0-9].*/.yaml/g' > ${OUTPUT} - - if [ ! -e ${REFERENCE} -a -z $GITHUB_ACTIONS ]; then - cp ${OUTPUT} ${REFERENCE} - git add ${REFERENCE} - echo -e "\n\n#### Created test output\007\n\n\007" >&2 - fi - - diff -u ${REFERENCE} ${OUTPUT} - rc=$? - - if [ $rc = 0 ]; then - rm -f ${OUTPUT} - echo "PASS" >&2 - elif [ -z $GITHUB_ACTIONS ]; then - read -p "Are these changes expected? [y/N] " EXPECTED - case $EXPECTED in - y*|Y*) - echo "Updating ${REFERENCE}" - cp ${OUTPUT} ${REFERENCE} - rm -f ${OUTPUT} - rc=0 - ;; - *) ;; - esac - fi - if [ $rc != 0 ]; then - echo "FAIL" >&2 - exit $rc - fi -} - -if [ $2 = "all" ]; then - echo -e "\n#####################" >&2 - echo "### ${name}" >&2 - echo "#####################" >&2 - - # Test that all values used by the chart are in values.yaml with the same defaults as the pattern - doTest naked - - # Test the charts as the pattern would drive them - INPUTS=$(ls -1 common/examples/*.yaml | grep -v secret) - for input in $INPUTS; do - variant=normal - if [ "$input" != "common/examples/values-example.yaml" ]; then - variant=$(echo $input | sed -e 's@.*/@@' -e 's@\.yaml@@') - fi - doTest $variant "$3 -f $input" - done - - # Ensure the differences between the two results are also stable - #doTestCompare -else - doTest $2 "$3" -fi - -exit 0 diff --git a/common/scripts/vault-utils.sh b/common/scripts/vault-utils.sh index 310d76d6..b014e5a4 100755 --- a/common/scripts/vault-utils.sh +++ b/common/scripts/vault-utils.sh @@ -10,9 +10,6 @@ SCRIPT=$(get_abs_filename "$0") SCRIPTPATH=$(dirname "${SCRIPT}") COMMONPATH=$(dirname "${SCRIPTPATH}") PATTERNPATH=$(dirname "${COMMONPATH}") -ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible" -PLAYBOOKPATH="${ANSIBLEPATH}/playbooks" -export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg" # Parse arguments if [ $# -lt 1 ]; then @@ -28,4 +25,4 @@ if [ -z ${TASK} ]; then exit 1 fi -ansible-playbook -t "${TASK}" -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" "${PLAYBOOKPATH}/vault/vault.yaml" +ansible-playbook -t "${TASK}" -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" "rhvp.cluster_utils.vault" diff --git a/common/scripts/write-token-kubeconfig.sh b/common/scripts/write-token-kubeconfig.sh index 12a2bb80..7544fac2 100755 --- a/common/scripts/write-token-kubeconfig.sh +++ b/common/scripts/write-token-kubeconfig.sh @@ -12,8 +12,5 @@ SCRIPT=$(get_abs_filename "$0") SCRIPTPATH=$(dirname "${SCRIPT}") COMMONPATH=$(dirname "${SCRIPTPATH}") PATTERNPATH=$(dirname "${COMMONPATH}") -ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible" -PLAYBOOKPATH="${ANSIBLEPATH}/playbooks" -export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg" -ansible-playbook -e pattern_dir="${PATTERNPATH}" -e kubeconfig_file="${OUTPUTFILE}" "${PLAYBOOKPATH}/write-token-kubeconfig/write-token-kubeconfig.yml" +ansible-playbook -e pattern_dir="${PATTERNPATH}" -e kubeconfig_file="${OUTPUTFILE}" "rhvp.cluster_utils.write-token-kubeconfig" diff --git a/common/tests/acm-industrial-edge-factory.expected.yaml b/common/tests/acm-industrial-edge-factory.expected.yaml deleted file mode 100644 index 94c8254f..00000000 --- a/common/tests/acm-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,363 +0,0 @@ ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -# This pushes out the HUB's Certificate Authorities on to the imported clusters ---- -# Source: acm/templates/policies/application-policies.yaml -# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io ---- -# Source: acm/templates/policies/private-repo-policies.yaml -# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace -# to the "open-cluster-management" via the "private-hub-policy" -# -# Then we copy the secret from the "open-cluster-management" namespace to the -# managed clusters "openshift-gitops" instance -# -# And we also copy the same secret to the namespaced argo's namespace ---- -# Source: acm/templates/multiclusterhub.yaml -apiVersion: operator.open-cluster-management.io/v1 -kind: MultiClusterHub -metadata: - name: multiclusterhub - namespace: open-cluster-management - annotations: - argocd.argoproj.io/sync-wave: "-1" - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' -spec: {} ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement-argocd - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy-argocd - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - # This is an auto-generated file. DO NOT EDIT - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: '' - spec: - channel: gitops-1.13 - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: "*" - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -# This policy depends on openshift-gitops-policy and the reason is that we need to be -# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance -# because the initcontainer references the trusted-ca-bundle and if it starts without the -# configmap being there we risk running an argo instances that won't trust public CAs -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy-argocd - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - dependencies: - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: openshift-gitops-policy - namespace: open-cluster-management - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: hub-argo-ca-openshift-gitops-policy - namespace: open-cluster-management - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config-argocd - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1beta1 - kind: ArgoCD - metadata: - name: openshift-gitops - namespace: openshift-gitops - spec: - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - webhookServer: - ingress: - enabled: false - route: - enabled: false - controller: - processors: {} - resources: - limits: - cpu: "2" - memory: 2Gi - requests: - cpu: 250m - memory: 1Gi - sharding: {} - grafana: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - route: - enabled: false - ha: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - monitoring: - enabled: false - notifications: - enabled: false - prometheus: - enabled: false - ingress: - enabled: false - route: - enabled: false - rbac: - defaultPolicy: "" - policy: |- - g, system:cluster-admins, role:admin - g, cluster-admins, role:admin - scopes: '[groups]' - redis: - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt - || true - image: registry.redhat.io/ubi9/ubi-minimal:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resourceExclusions: |- - - apiGroups: - - tekton.dev - clusters: - - '*' - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - service: - type: "" - sso: - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - provider: dex - tls: - ca: {} diff --git a/common/tests/acm-industrial-edge-hub.expected.yaml b/common/tests/acm-industrial-edge-hub.expected.yaml deleted file mode 100644 index 00cf4e4d..00000000 --- a/common/tests/acm-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,733 +0,0 @@ ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -# This pushes out the HUB's Certificate Authorities on to the imported clusters ---- -# Source: acm/templates/policies/private-repo-policies.yaml -# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace -# to the "open-cluster-management" via the "private-hub-policy" -# -# Then we copy the secret from the "open-cluster-management" namespace to the -# managed clusters "openshift-gitops" instance -# -# And we also copy the same secret to the namespaced argo's namespace ---- -# Source: acm/templates/multiclusterhub.yaml -apiVersion: operator.open-cluster-management.io/v1 -kind: MultiClusterHub -metadata: - name: multiclusterhub - namespace: open-cluster-management - annotations: - argocd.argoproj.io/sync-wave: "-1" - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' -spec: {} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-hub-ca-policy-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-hub-ca-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-hub-ca-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-openshift-gitops-policy-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-openshift-gitops-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-factory-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-factory-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-factory-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: factory-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: factory-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: factory-clustergroup-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement-argocd - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy-argocd - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-hub-ca-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-openshift-gitops-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-factory-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: factory-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: { - "matchExpressions": [ - { - "key": "vendor", - "operator": "In", - "values": [ - "OpenShift" - ] - } - ], - "matchLabels": { - "clusterGroup": "factory" - } -} ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-hub-ca-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-hub-ca-config-policy - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - apiVersion: v1 - type: Opaque - metadata: - name: hub-ca - namespace: golang-external-secrets - data: - hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}' - hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}' - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: imperative - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-openshift-gitops-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: openshift-gitops - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-factory-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-factory-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: mypattern-factory - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/application-policies.yaml -# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: factory-clustergroup-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: factory-clustergroup-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1alpha1 - kind: Application - metadata: - name: mypattern-factory - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground - spec: - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-factory.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - - name: global.clusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - - name: global.localClusterName - value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - - name: global.clusterPlatform - value: aws - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: clusterGroup.name - value: factory - - name: clusterGroup.isHubCluster - value: "false" - destination: - server: https://kubernetes.default.svc - namespace: mypattern-factory - syncPolicy: - automated: - prune: false - selfHeal: true - retry: - limit: 20 - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - # This is an auto-generated file. DO NOT EDIT - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: '' - spec: - channel: gitops-1.13 - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: "*" - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -# This policy depends on openshift-gitops-policy and the reason is that we need to be -# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance -# because the initcontainer references the trusted-ca-bundle and if it starts without the -# configmap being there we risk running an argo instances that won't trust public CAs -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy-argocd - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - dependencies: - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: openshift-gitops-policy - namespace: open-cluster-management - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: hub-argo-ca-openshift-gitops-policy - namespace: open-cluster-management - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config-argocd - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1beta1 - kind: ArgoCD - metadata: - name: openshift-gitops - namespace: openshift-gitops - spec: - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - webhookServer: - ingress: - enabled: false - route: - enabled: false - controller: - processors: {} - resources: - limits: - cpu: "2" - memory: 2Gi - requests: - cpu: 250m - memory: 1Gi - sharding: {} - grafana: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - route: - enabled: false - ha: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - monitoring: - enabled: false - notifications: - enabled: false - prometheus: - enabled: false - ingress: - enabled: false - route: - enabled: false - rbac: - defaultPolicy: "" - policy: |- - g, system:cluster-admins, role:admin - g, cluster-admins, role:admin - scopes: '[groups]' - redis: - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt - || true - image: registry.redhat.io/ubi9/ubi-minimal:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resourceExclusions: |- - - apiGroups: - - tekton.dev - clusters: - - '*' - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - service: - type: "" - sso: - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - provider: dex - tls: - ca: {} diff --git a/common/tests/acm-medical-diagnosis-hub.expected.yaml b/common/tests/acm-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 5fea58d0..00000000 --- a/common/tests/acm-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,724 +0,0 @@ ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -# This pushes out the HUB's Certificate Authorities on to the imported clusters ---- -# Source: acm/templates/policies/private-repo-policies.yaml -# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace -# to the "open-cluster-management" via the "private-hub-policy" -# -# Then we copy the secret from the "open-cluster-management" namespace to the -# managed clusters "openshift-gitops" instance -# -# And we also copy the same secret to the namespaced argo's namespace ---- -# Source: acm/templates/multiclusterhub.yaml -apiVersion: operator.open-cluster-management.io/v1 -kind: MultiClusterHub -metadata: - name: multiclusterhub - namespace: open-cluster-management - annotations: - argocd.argoproj.io/sync-wave: "-1" - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' -spec: {} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-hub-ca-policy-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-hub-ca-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-hub-ca-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-openshift-gitops-policy-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-openshift-gitops-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-region-one-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-region-one-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-region-one-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: region-one-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: region-one-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: region-one-clustergroup-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement-argocd - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy-argocd - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-hub-ca-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-openshift-gitops-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-region-one-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: region-one-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: { - "matchLabels": { - "clusterGroup": "region-one" - } -} ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-hub-ca-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-hub-ca-config-policy - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - apiVersion: v1 - type: Opaque - metadata: - name: hub-ca - namespace: golang-external-secrets - data: - hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}' - hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}' - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: imperative - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-openshift-gitops-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: openshift-gitops - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-region-one-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-region-one-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: mypattern-region-one - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/application-policies.yaml -# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: region-one-clustergroup-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: region-one-clustergroup-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1alpha1 - kind: Application - metadata: - name: mypattern-region-one - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground - spec: - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-region-one.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - - name: global.clusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - - name: global.localClusterName - value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - - name: global.clusterPlatform - value: aws - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: clusterGroup.name - value: region-one - - name: clusterGroup.isHubCluster - value: "false" - destination: - server: https://kubernetes.default.svc - namespace: mypattern-region-one - syncPolicy: - automated: - prune: false - selfHeal: true - retry: - limit: 20 - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - # This is an auto-generated file. DO NOT EDIT - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: '' - spec: - channel: gitops-1.13 - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: "*" - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -# This policy depends on openshift-gitops-policy and the reason is that we need to be -# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance -# because the initcontainer references the trusted-ca-bundle and if it starts without the -# configmap being there we risk running an argo instances that won't trust public CAs -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy-argocd - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - dependencies: - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: openshift-gitops-policy - namespace: open-cluster-management - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: hub-argo-ca-openshift-gitops-policy - namespace: open-cluster-management - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config-argocd - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1beta1 - kind: ArgoCD - metadata: - name: openshift-gitops - namespace: openshift-gitops - spec: - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - webhookServer: - ingress: - enabled: false - route: - enabled: false - controller: - processors: {} - resources: - limits: - cpu: "2" - memory: 2Gi - requests: - cpu: 250m - memory: 1Gi - sharding: {} - grafana: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - route: - enabled: false - ha: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - monitoring: - enabled: false - notifications: - enabled: false - prometheus: - enabled: false - ingress: - enabled: false - route: - enabled: false - rbac: - defaultPolicy: "" - policy: |- - g, system:cluster-admins, role:admin - g, cluster-admins, role:admin - scopes: '[groups]' - redis: - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt - || true - image: registry.redhat.io/ubi9/ubi-minimal:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resourceExclusions: |- - - apiGroups: - - tekton.dev - clusters: - - '*' - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - service: - type: "" - sso: - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - provider: dex - tls: - ca: {} diff --git a/common/tests/acm-naked.expected.yaml b/common/tests/acm-naked.expected.yaml deleted file mode 100644 index 94c8254f..00000000 --- a/common/tests/acm-naked.expected.yaml +++ /dev/null @@ -1,363 +0,0 @@ ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -# This pushes out the HUB's Certificate Authorities on to the imported clusters ---- -# Source: acm/templates/policies/application-policies.yaml -# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io ---- -# Source: acm/templates/policies/private-repo-policies.yaml -# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace -# to the "open-cluster-management" via the "private-hub-policy" -# -# Then we copy the secret from the "open-cluster-management" namespace to the -# managed clusters "openshift-gitops" instance -# -# And we also copy the same secret to the namespaced argo's namespace ---- -# Source: acm/templates/multiclusterhub.yaml -apiVersion: operator.open-cluster-management.io/v1 -kind: MultiClusterHub -metadata: - name: multiclusterhub - namespace: open-cluster-management - annotations: - argocd.argoproj.io/sync-wave: "-1" - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' -spec: {} ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement-argocd - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy-argocd - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - # This is an auto-generated file. DO NOT EDIT - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: '' - spec: - channel: gitops-1.13 - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: "*" - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -# This policy depends on openshift-gitops-policy and the reason is that we need to be -# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance -# because the initcontainer references the trusted-ca-bundle and if it starts without the -# configmap being there we risk running an argo instances that won't trust public CAs -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy-argocd - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - dependencies: - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: openshift-gitops-policy - namespace: open-cluster-management - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: hub-argo-ca-openshift-gitops-policy - namespace: open-cluster-management - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config-argocd - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1beta1 - kind: ArgoCD - metadata: - name: openshift-gitops - namespace: openshift-gitops - spec: - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - webhookServer: - ingress: - enabled: false - route: - enabled: false - controller: - processors: {} - resources: - limits: - cpu: "2" - memory: 2Gi - requests: - cpu: 250m - memory: 1Gi - sharding: {} - grafana: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - route: - enabled: false - ha: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - monitoring: - enabled: false - notifications: - enabled: false - prometheus: - enabled: false - ingress: - enabled: false - route: - enabled: false - rbac: - defaultPolicy: "" - policy: |- - g, system:cluster-admins, role:admin - g, cluster-admins, role:admin - scopes: '[groups]' - redis: - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt - || true - image: registry.redhat.io/ubi9/ubi-minimal:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resourceExclusions: |- - - apiGroups: - - tekton.dev - clusters: - - '*' - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - service: - type: "" - sso: - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - provider: dex - tls: - ca: {} diff --git a/common/tests/acm-normal.expected.yaml b/common/tests/acm-normal.expected.yaml deleted file mode 100644 index 6823a01b..00000000 --- a/common/tests/acm-normal.expected.yaml +++ /dev/null @@ -1,1894 +0,0 @@ ---- -# Source: acm/templates/provision/clusterdeployment.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: aws-cd-one-w-pool-acm-provision-edge ---- -# Source: acm/templates/provision/clusterdeployment.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: v1 -kind: Secret -metadata: - name: aws-ap-acm-provision-edge-install-config -data: - # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWFwJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAxCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDAKbmV0d29ya2luZzoKICBjbHVzdGVyTmV0d29yazoKICAtIGNpZHI6IDEwLjEyOC4wLjAvMTQKICAgIGhvc3RQcmVmaXg6IDIzCiAgbWFjaGluZU5ldHdvcms6CiAgLSBjaWRyOiAxMC4wLjAuMC8xNgogIG5ldHdvcmtUeXBlOiBPVk5LdWJlcm5ldGVzCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOgogIGF3czoKICAgIHJlZ2lvbjogYXAtc291dGhlYXN0LTIKcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz -type: Opaque ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: v1 -kind: Secret -metadata: - name: azure-us-acm-provision-edge-install-config -data: - # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXp1cmUtdXMnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF6dXJlOgogICAgICB0eXBlOiBTdGFuZGFyZF9EOHNfdjMKY29tcHV0ZToKLSBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBuYW1lOiAnd29ya2VyJwogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhenVyZToKICAgICAgdHlwZTogU3RhbmRhcmRfRDhzX3YzCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT1ZOS3ViZXJuZXRlcwogIHNlcnZpY2VOZXR3b3JrOgogIC0gMTcyLjMwLjAuMC8xNgpwbGF0Zm9ybToKICBhenVyZToKICAgIGJhc2VEb21haW5SZXNvdXJjZUdyb3VwTmFtZTogZG9qby1kbnMtem9uZXMKICAgIHJlZ2lvbjogZWFzdHVzCnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== -type: Opaque ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: v1 -kind: Secret -metadata: - name: aws-cd-one-w-pool-acm-provision-edge-install-config - namespace: aws-cd-one-w-pool-acm-provision-edge -data: - # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWNkLW9uZS13LXBvb2wnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF3czoKICAgICAgdHlwZTogbTUueGxhcmdlCmNvbXB1dGU6Ci0gaHlwZXJ0aHJlYWRpbmc6IEVuYWJsZWQKICBhcmNoaXRlY3R1cmU6IGFtZDY0CiAgbmFtZTogJ3dvcmtlcicKICByZXBsaWNhczogMwogIHBsYXRmb3JtOgogICAgYXdzOgogICAgICB0eXBlOiBtNS54bGFyZ2UKbmV0d29ya2luZzoKICBjbHVzdGVyTmV0d29yazoKICAtIGNpZHI6IDEwLjEyOC4wLjAvMTQKICAgIGhvc3RQcmVmaXg6IDIzCiAgbWFjaGluZU5ldHdvcms6CiAgLSBjaWRyOiAxMC4wLjAuMC8xNgogIG5ldHdvcmtUeXBlOiBPVk5LdWJlcm5ldGVzCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOgogIGF3czoKICAgIHJlZ2lvbjogYXAtc291dGhlYXN0LTEKcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz -type: Opaque ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: v1 -kind: Secret -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-install-config - namespace: aws-cd-two-wo-pool-acm-provision-on-deploy -data: - # Base64 encoding of install-config yaml - install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWNkLXR3by13by1wb29sJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF3czoKICAgICAgdHlwZTogbTUueGxhcmdlCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT1ZOS3ViZXJuZXRlcwogIHNlcnZpY2VOZXR3b3JrOgogIC0gMTcyLjMwLjAuMC8xNgpwbGF0Zm9ybToKICBhd3M6CiAgICByZWdpb246IGFwLXNvdXRoZWFzdC0zCnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== -type: Opaque ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -# This pushes out the HUB's Certificate Authorities on to the imported clusters ---- -# Source: acm/templates/policies/private-repo-policies.yaml -# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace -# to the "open-cluster-management" via the "private-hub-policy" -# -# Then we copy the secret from the "open-cluster-management" namespace to the -# managed clusters "openshift-gitops" instance -# -# And we also copy the same secret to the namespaced argo's namespace ---- -# Source: acm/templates/provision/clusterpool.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterClaim -metadata: - name: 'two-acm-provision-edge' - annotations: - argocd.argoproj.io/sync-wave: "20" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster.open-cluster-management.io/createmanagedcluster: "true" - labels: - clusterClaimName: two-acm-provision-edge - clusterGroup: region -spec: - clusterPoolName: azure-us-acm-provision-edge ---- -# Source: acm/templates/provision/clusterpool.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterClaim -metadata: - name: 'three-acm-provision-edge' - annotations: - argocd.argoproj.io/sync-wave: "20" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster.open-cluster-management.io/createmanagedcluster: "true" - labels: - clusterClaimName: three-acm-provision-edge - clusterGroup: region -spec: - clusterPoolName: azure-us-acm-provision-edge ---- -# Source: acm/templates/provision/clusterdeployment.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterDeployment -metadata: - name: aws-cd-one-w-pool-acm-provision-edge - namespace: aws-cd-one-w-pool-acm-provision-edge - labels: - vendor: OpenShift - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - baseDomain: blueprints.rhecoeng.com - clusterName: aws-cd-one-w-pool-acm-provision-edge - installAttemptsLimit: 1 - platform: - aws: - credentialsSecretRef: - name: aws-cd-one-w-pool-acm-provision-edge-creds - region: ap-southeast-1 - provisioning: - installConfigSecretRef: - name: aws-cd-one-w-pool-acm-provision-edge-install-config - sshPrivateKeySecretRef: - name: aws-cd-one-w-pool-acm-provision-edge-ssh-private-key - imageSetRef: - name: img4.10.18-multi-appsub - pullSecretRef: - name: aws-cd-one-w-pool-acm-provision-edge-pull-secret ---- -# Source: acm/templates/provision/clusterdeployment.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterDeployment -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy - namespace: aws-cd-two-wo-pool-acm-provision-on-deploy - labels: - vendor: OpenShift - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - baseDomain: blueprints.rhecoeng.com - clusterName: aws-cd-two-wo-pool-acm-provision-on-deploy - installAttemptsLimit: 1 - platform: - aws: - credentialsSecretRef: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-creds - region: ap-southeast-3 - provisioning: - installConfigSecretRef: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-install-config - sshPrivateKeySecretRef: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-ssh-private-key - imageSetRef: - name: img4.10.18-multi-appsub - pullSecretRef: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-pull-secret ---- -# Source: acm/templates/provision/clusterpool.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterPool -metadata: - name: "aws-ap-acm-provision-edge" - annotations: - argocd.argoproj.io/sync-wave: "10" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - cloud: aws - region: 'ap-southeast-2' - vendor: OpenShift - cluster.open-cluster-management.io/clusterset: aws-ap -spec: - size: 3 - runningCount: 0 - baseDomain: blueprints.rhecoeng.com - installConfigSecretTemplateRef: - name: aws-ap-acm-provision-edge-install-config - imageSetRef: - name: img4.10.18-multi-appsub - pullSecretRef: - name: aws-ap-acm-provision-edge-pull-secret - skipMachinePools: true # Disable MachinePool as using custom install-config - platform: - aws: - credentialsSecretRef: - name: aws-ap-acm-provision-edge-creds - region: ap-southeast-2 ---- -# Source: acm/templates/provision/clusterpool.yaml -apiVersion: hive.openshift.io/v1 -kind: ClusterPool -metadata: - name: "azure-us-acm-provision-edge" - annotations: - argocd.argoproj.io/sync-wave: "10" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - cloud: azure - region: 'eastus' - vendor: OpenShift - cluster.open-cluster-management.io/clusterset: azure-us -spec: - size: 2 - runningCount: 2 - baseDomain: blueprints.rhecoeng.com - installConfigSecretTemplateRef: - name: azure-us-acm-provision-edge-install-config - imageSetRef: - name: img4.10.18-multi-appsub - pullSecretRef: - name: azure-us-acm-provision-edge-pull-secret - skipMachinePools: true # Disable MachinePool as using custom install-config - platform: - azure: - credentialsSecretRef: - name: azure-us-acm-provision-edge-creds - region: eastus ---- -# Source: acm/templates/provision/secrets-aws.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-ap-acm-provision-edge-creds -spec: - dataFrom: - - extract: - # Expects entries called: aws_access_key_id and aws_secret_access_key - key: secret/data/hub/aws - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-ap-acm-provision-edge-creds - creationPolicy: Owner - template: - type: Opaque ---- -# Source: acm/templates/provision/secrets-aws.yaml -# For use when manually creating clusters with ACM -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-ap-acm-provision-edge-infra-creds -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - - secretKey: awsKeyId - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: awsAccessKey - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key - - secretKey: sshPublicKey - remoteRef: - key: secret/data/hub/publickey - property: content - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-ap-acm-provision-edge-infra-creds - creationPolicy: Owner - template: - type: Opaque - metadata: - labels: - cluster.open-cluster-management.io/credentials: "" - cluster.open-cluster-management.io/type: aws - data: - baseDomain: "blueprints.rhecoeng.com" - pullSecret: |- - {{ .openshiftPullSecret | toString }} - aws_access_key_id: |- - {{ .awsKeyId | toString }} - aws_secret_access_key: |- - {{ .awsAccessKey | toString }} - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} - ssh-publickey: |- - {{ .sshPublicKey | toString }} - httpProxy: "" - httpsProxy: "" - noProxy: "" - additionalTrustBundle: "" ---- -# Source: acm/templates/provision/secrets-aws.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-one-w-pool-acm-provision-edge-creds - namespace: aws-cd-one-w-pool-acm-provision-edge -spec: - dataFrom: - - extract: - # Expects entries called: aws_access_key_id and aws_secret_access_key - key: secret/data/hub/aws - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-one-w-pool-acm-provision-edge-creds - creationPolicy: Owner - template: - type: Opaque ---- -# Source: acm/templates/provision/secrets-aws.yaml -# For use when manually creating clusters with ACM -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-one-w-pool-acm-provision-edge-infra-creds - namespace: aws-cd-one-w-pool-acm-provision-edge -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - - secretKey: awsKeyId - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: awsAccessKey - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key - - secretKey: sshPublicKey - remoteRef: - key: secret/data/hub/publickey - property: content - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-one-w-pool-acm-provision-edge-infra-creds - creationPolicy: Owner - template: - type: Opaque - metadata: - labels: - cluster.open-cluster-management.io/credentials: "" - cluster.open-cluster-management.io/type: aws - data: - baseDomain: "blueprints.rhecoeng.com" - pullSecret: |- - {{ .openshiftPullSecret | toString }} - aws_access_key_id: |- - {{ .awsKeyId | toString }} - aws_secret_access_key: |- - {{ .awsAccessKey | toString }} - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} - ssh-publickey: |- - {{ .sshPublicKey | toString }} - httpProxy: "" - httpsProxy: "" - noProxy: "" - additionalTrustBundle: "" ---- -# Source: acm/templates/provision/secrets-aws.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-creds - namespace: aws-cd-two-wo-pool-acm-provision-on-deploy -spec: - dataFrom: - - extract: - # Expects entries called: aws_access_key_id and aws_secret_access_key - key: secret/data/hub/aws - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-creds - creationPolicy: Owner - template: - type: Opaque ---- -# Source: acm/templates/provision/secrets-aws.yaml -# For use when manually creating clusters with ACM -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-infra-creds - namespace: aws-cd-two-wo-pool-acm-provision-on-deploy -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - - secretKey: awsKeyId - remoteRef: - key: secret/data/hub/aws - property: aws_access_key_id - - secretKey: awsAccessKey - remoteRef: - key: secret/data/hub/aws - property: aws_secret_access_key - - secretKey: sshPublicKey - remoteRef: - key: secret/data/hub/publickey - property: content - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-infra-creds - creationPolicy: Owner - template: - type: Opaque - metadata: - labels: - cluster.open-cluster-management.io/credentials: "" - cluster.open-cluster-management.io/type: aws - data: - baseDomain: "blueprints.rhecoeng.com" - pullSecret: |- - {{ .openshiftPullSecret | toString }} - aws_access_key_id: |- - {{ .awsKeyId | toString }} - aws_secret_access_key: |- - {{ .awsAccessKey | toString }} - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} - ssh-publickey: |- - {{ .sshPublicKey | toString }} - httpProxy: "" - httpsProxy: "" - noProxy: "" - additionalTrustBundle: "" ---- -# Source: acm/templates/provision/secrets-azure.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: azure-us-acm-provision-edge-creds -spec: - data: - - secretKey: azureOsServicePrincipal - remoteRef: - key: secret/data/hub/azureOsServicePrincipal - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: azure-us-acm-provision-edge-creds - creationPolicy: Owner - template: - type: Opaque - data: - osServicePrincipal.json: |- - {{ .azureOsServicePrincipal | toString }} ---- -# Source: acm/templates/provision/secrets-azure.yaml -# For use when manually creating clusters with ACM -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: azure-us-acm-provision-edge-infra-creds -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - - secretKey: sshPublicKey - remoteRef: - key: secret/data/hub/publickey - property: content - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - - secretKey: azureOsServicePrincipal - remoteRef: - key: secret/data/hub/azureOsServicePrincipal - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: azure-us-acm-provision-edge-infra-creds - creationPolicy: Owner - template: - type: Opaque - metadata: - labels: - cluster.open-cluster-management.io/credentials: "" - cluster.open-cluster-management.io/type: aws - data: - cloudName: AzurePublicCloud - osServicePrincipal.json: |- - {{ .azureOsServicePrincipal | toString }} - baseDomain: "blueprints.rhecoeng.com" - baseDomainResourceGroupName: "dojo-dns-zones" - pullSecret: |- - {{ .openshiftPullSecret | toString }} - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} - ssh-publickey: |- - {{ .sshPublicKey | toString }} - httpProxy: "" - httpsProxy: "" - noProxy: "" - additionalTrustBundle: "" ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-ap-acm-provision-edge-pull-secret -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-ap-acm-provision-edge-pull-secret - creationPolicy: Owner - template: - type: kubernetes.io/dockerconfigjson - data: - .dockerconfigjson: |- - {{ .openshiftPullSecret | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-ap-acm-provision-edge-ssh-private-key -spec: - data: - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-ap-acm-provision-edge-ssh-private-key - creationPolicy: Owner - template: - type: Opaque - data: - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: azure-us-acm-provision-edge-pull-secret -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: azure-us-acm-provision-edge-pull-secret - creationPolicy: Owner - template: - type: kubernetes.io/dockerconfigjson - data: - .dockerconfigjson: |- - {{ .openshiftPullSecret | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: azure-us-acm-provision-edge-ssh-private-key -spec: - data: - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: azure-us-acm-provision-edge-ssh-private-key - creationPolicy: Owner - template: - type: Opaque - data: - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-one-w-pool-acm-provision-edge-pull-secret - namespace: aws-cd-one-w-pool-acm-provision-edge -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-one-w-pool-acm-provision-edge-pull-secret - creationPolicy: Owner - template: - type: kubernetes.io/dockerconfigjson - data: - .dockerconfigjson: |- - {{ .openshiftPullSecret | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-one-w-pool-acm-provision-edge-ssh-private-key - namespace: aws-cd-one-w-pool-acm-provision-edge -spec: - data: - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-one-w-pool-acm-provision-edge-ssh-private-key - creationPolicy: Owner - template: - type: Opaque - data: - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-pull-secret - namespace: aws-cd-two-wo-pool-acm-provision-on-deploy -spec: - data: - - secretKey: openshiftPullSecret - remoteRef: - key: secret/data/hub/openshiftPullSecret - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-pull-secret - creationPolicy: Owner - template: - type: kubernetes.io/dockerconfigjson - data: - .dockerconfigjson: |- - {{ .openshiftPullSecret | toString }} ---- -# Source: acm/templates/provision/secrets-common.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-ssh-private-key - namespace: aws-cd-two-wo-pool-acm-provision-on-deploy -spec: - data: - - secretKey: sshPrivateKey - remoteRef: - key: secret/data/hub/privatekey - property: content - refreshInterval: 24h0m0s - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: aws-cd-two-wo-pool-acm-provision-on-deploy-ssh-private-key - creationPolicy: Owner - template: - type: Opaque - data: - ssh-privatekey: |- - {{ .sshPrivateKey | toString }} ---- -# Source: acm/templates/provision/clusterdeployment.yaml -apiVersion: cluster.open-cluster-management.io/v1 -kind: ManagedCluster -metadata: - labels: - cluster.open-cluster-management.io/clusterset: acm-provision-edge - clusterGroup: region - name: aws-cd-one-w-pool-acm-provision-edge - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - hubAcceptsClient: true ---- -# Source: acm/templates/provision/clusterdeployment.yaml -apiVersion: cluster.open-cluster-management.io/v1 -kind: ManagedCluster -metadata: - labels: - cluster.open-cluster-management.io/clusterset: acm-provision-on-deploy - clusterGroup: acm-provision-on-deploy - name: aws-cd-two-wo-pool-acm-provision-on-deploy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - hubAcceptsClient: true ---- -# Source: acm/templates/provision/managedclusterset.yaml -apiVersion: cluster.open-cluster-management.io/v1beta2 -kind: ManagedClusterSet -metadata: - annotations: - cluster.open-cluster-management.io/submariner-broker-ns: acm-provision-edge-broker - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: acm-provision-edge ---- -# Source: acm/templates/provision/managedclusterset.yaml -apiVersion: cluster.open-cluster-management.io/v1beta2 -kind: ManagedClusterSet -metadata: - annotations: - cluster.open-cluster-management.io/submariner-broker-ns: acm-provision-on-deploy-broker - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: acm-provision-on-deploy ---- -# Source: acm/templates/multiclusterhub.yaml -apiVersion: operator.open-cluster-management.io/v1 -kind: MultiClusterHub -metadata: - name: multiclusterhub - namespace: open-cluster-management - annotations: - argocd.argoproj.io/sync-wave: "-1" - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' -spec: {} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-hub-ca-policy-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-hub-ca-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-hub-ca-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-openshift-gitops-policy-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-openshift-gitops-policy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-acm-edge-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-acm-edge-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-acm-edge-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-acm-provision-edge-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-acm-provision-edge-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-acm-provision-edge-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: hub-argo-ca-acm-provision-on-deploy-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: hub-argo-ca-acm-provision-on-deploy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: hub-argo-ca-acm-provision-on-deploy-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-edge-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-edge-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-edge-clustergroup-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-provision-edge-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-provision-edge-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-provision-edge-clustergroup-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: acm-provision-on-deploy-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: acm-provision-on-deploy-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: acm-provision-on-deploy-clustergroup-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: openshift-gitops-placement-binding-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -placementRef: - name: openshift-gitops-placement-argocd - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: openshift-gitops-policy-argocd - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-hub-ca-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-openshift-gitops-policy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-acm-edge-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-acm-provision-edge-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: hub-argo-ca-acm-provision-on-deploy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-edge-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchLabels: - clusterGroup: acm-region ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-provision-edge-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchLabels: - clusterGroup: region ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: acm-provision-on-deploy-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchLabels: - clusterGroup: acm-provision-on-deploy ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: openshift-gitops-placement-argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - clusterConditions: - - status: 'True' - type: ManagedClusterConditionAvailable - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - - key: local-cluster - operator: NotIn - values: - - 'true' ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-hub-ca-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-hub-ca-config-policy - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: Secret - apiVersion: v1 - type: Opaque - metadata: - name: hub-ca - namespace: golang-external-secrets - data: - hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}' - hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}' - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: imperative - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-openshift-gitops-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: openshift-gitops - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-acm-edge-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-acm-edge-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: mypattern-acm-edge - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-acm-provision-edge-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-acm-provision-edge-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: mypattern-acm-provision-edge - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/acm-hub-ca-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: hub-argo-ca-acm-provision-on-deploy-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: hub-argo-ca-acm-provision-on-deploy-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-hub-bundle - namespace: mypattern-acm-provision-on-deploy - data: - hub-kube-root-ca.crt: | - {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} - hub-openshift-service-ca.crt: | - {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} ---- -# Source: acm/templates/policies/application-policies.yaml -# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-edge-clustergroup-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-edge-clustergroup-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1alpha1 - kind: Application - metadata: - name: mypattern-acm-edge - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground - spec: - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-acm-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - - name: global.clusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - - name: global.localClusterName - value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - - name: global.clusterPlatform - value: aws - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: clusterGroup.name - value: acm-edge - - name: clusterGroup.isHubCluster - value: "false" - destination: - server: https://kubernetes.default.svc - namespace: mypattern-acm-edge - syncPolicy: - automated: - prune: false - selfHeal: true - retry: - limit: 20 - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-provision-edge-clustergroup-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-provision-edge-clustergroup-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1alpha1 - kind: Application - metadata: - name: mypattern-acm-provision-edge - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground - spec: - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-acm-provision-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - - name: global.clusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - - name: global.localClusterName - value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - - name: global.clusterPlatform - value: aws - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: clusterGroup.name - value: acm-provision-edge - - name: clusterGroup.isHubCluster - value: "false" - destination: - server: https://kubernetes.default.svc - namespace: mypattern-acm-provision-edge - syncPolicy: - automated: - prune: false - selfHeal: true - retry: - limit: 20 - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: acm/templates/policies/application-policies.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: acm-provision-on-deploy-clustergroup-policy - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: acm-provision-on-deploy-clustergroup-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1alpha1 - kind: Application - metadata: - name: mypattern-acm-provision-on-deploy - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground - spec: - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-acm-provision-on-deploy.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-on-deploy.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - - name: global.clusterDomain - value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - - name: global.localClusterName - value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - - name: global.clusterPlatform - value: aws - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: clusterGroup.name - value: acm-provision-on-deploy - destination: - server: https://kubernetes.default.svc - namespace: mypattern-acm-provision-on-deploy - syncPolicy: - automated: - prune: false - selfHeal: true - retry: - limit: 20 - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - # This is an auto-generated file. DO NOT EDIT - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: '' - spec: - channel: gitops-1.13 - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: "*" - - complianceType: mustonlyhave - objectDefinition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: trusted-ca-bundle - namespace: openshift-gitops - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: acm/templates/policies/ocp-gitops-policy.yaml -# This policy depends on openshift-gitops-policy and the reason is that we need to be -# certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance -# because the initcontainer references the trusted-ca-bundle and if it starts without the -# configmap being there we risk running an argo instances that won't trust public CAs -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: openshift-gitops-policy-argocd - annotations: - policy.open-cluster-management.io/standards: NIST-CSF - policy.open-cluster-management.io/categories: PR.DS Data Security - policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - remediationAction: enforce - disabled: false - dependencies: - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: openshift-gitops-policy - namespace: open-cluster-management - - apiVersion: policy.open-cluster-management.io/v1 - compliance: Compliant - kind: Policy - name: hub-argo-ca-openshift-gitops-policy - namespace: open-cluster-management - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: openshift-gitops-config-argocd - spec: - remediationAction: enforce - severity: medium - namespaceSelector: - include: - - default - object-templates: - - complianceType: mustonlyhave - objectDefinition: - apiVersion: argoproj.io/v1beta1 - kind: ArgoCD - metadata: - name: openshift-gitops - namespace: openshift-gitops - spec: - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - webhookServer: - ingress: - enabled: false - route: - enabled: false - controller: - processors: {} - resources: - limits: - cpu: "2" - memory: 2Gi - requests: - cpu: 250m - memory: 1Gi - sharding: {} - grafana: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - route: - enabled: false - ha: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - monitoring: - enabled: false - notifications: - enabled: false - prometheus: - enabled: false - ingress: - enabled: false - route: - enabled: false - rbac: - defaultPolicy: "" - policy: |- - g, system:cluster-admins, role:admin - g, cluster-admins, role:admin - scopes: '[groups]' - redis: - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt - || true - image: registry.redhat.io/ubi9/ubi-minimal:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resourceExclusions: |- - - apiGroups: - - tekton.dev - clusters: - - '*' - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - service: - type: "" - sso: - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - provider: dex - tls: - ca: {} diff --git a/common/tests/acm.expected.diff b/common/tests/acm.expected.diff deleted file mode 100644 index 25b35645..00000000 --- a/common/tests/acm.expected.diff +++ /dev/null @@ -1,651 +0,0 @@ ---- tests/acm-naked.expected.yaml -+++ tests/acm-normal.expected.yaml -@@ -1,6 +1,386 @@ - --- --# Source: acm/templates/policies/application-policies.yaml --# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io -+# Source: acm/templates/provision/secrets-common.yaml -+apiVersion: v1 -+kind: Secret -+metadata: -+ name: aws-ap-acm-provision-edge-install-config -+data: -+ # Base64 encoding of install-config yaml -+ install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWFwJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF3czoKICAgICAgdHlwZTogbTUueGxhcmdlCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT3BlblNoaWZ0U0ROCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOiB7CiAgImF3cyI6IHsKICAgICJyZWdpb24iOiAiYXAtc291dGhlYXN0LTIiCiAgfQp9CnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== -+type: Opaque -+--- -+# Source: acm/templates/provision/secrets-common.yaml -+apiVersion: v1 -+kind: Secret -+metadata: -+ name: azure-us-acm-provision-edge-install-config -+data: -+ # Base64 encoding of install-config yaml -+ install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXp1cmUtdXMnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF6dXJlOgogICAgICB0eXBlOiBTdGFuZGFyZF9EOHNfdjMKY29tcHV0ZToKLSBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBuYW1lOiAnd29ya2VyJwogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhenVyZToKICAgICAgdHlwZTogU3RhbmRhcmRfRDhzX3YzCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT3BlblNoaWZ0U0ROCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOiB7CiAgImF6dXJlIjogewogICAgImJhc2VEb21haW5SZXNvdXJjZUdyb3VwTmFtZSI6ICJkb2pvLWRucy16b25lcyIsCiAgICAicmVnaW9uIjogImVhc3R1cyIKICB9Cn0KcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz -+type: Opaque -+--- -+# Source: acm/templates/provision/clusterpool.yaml -+apiVersion: hive.openshift.io/v1 -+kind: ClusterClaim -+metadata: -+ name: 'one-acm-provision-edge' -+ annotations: -+ argocd.argoproj.io/sync-wave: "20" -+ cluster.open-cluster-management.io/createmanagedcluster: "true" -+ labels: -+ clusterClaimName: one-acm-provision-edge -+ clusterGroup: region -+spec: -+ clusterPoolName: aws-ap -+--- -+# Source: acm/templates/provision/clusterpool.yaml -+apiVersion: hive.openshift.io/v1 -+kind: ClusterClaim -+metadata: -+ name: 'two-acm-provision-edge' -+ annotations: -+ argocd.argoproj.io/sync-wave: "20" -+ cluster.open-cluster-management.io/createmanagedcluster: "true" -+ labels: -+ clusterClaimName: two-acm-provision-edge -+ clusterGroup: region -+spec: -+ clusterPoolName: azure-us -+--- -+# Source: acm/templates/provision/clusterpool.yaml -+apiVersion: hive.openshift.io/v1 -+kind: ClusterClaim -+metadata: -+ name: 'three-acm-provision-edge' -+ annotations: -+ argocd.argoproj.io/sync-wave: "20" -+ cluster.open-cluster-management.io/createmanagedcluster: "true" -+ labels: -+ clusterClaimName: three-acm-provision-edge -+ clusterGroup: region -+spec: -+ clusterPoolName: azure-us -+--- -+# Source: acm/templates/provision/clusterpool.yaml -+apiVersion: hive.openshift.io/v1 -+kind: ClusterPool -+metadata: -+ name: "aws-ap-acm-provision-edge" -+ annotations: -+ argocd.argoproj.io/sync-wave: "10" -+ labels: -+ cloud: aws -+ region: 'ap-southeast-2' -+ vendor: OpenShift -+ cluster.open-cluster-management.io/clusterset: aws-ap -+spec: -+ size: 3 -+ runningCount: 1 -+ baseDomain: blueprints.rhecoeng.com -+ installConfigSecretTemplateRef: -+ name: aws-ap-acm-provision-edge-install-config -+ imageSetRef: -+ name: img4.10.18-x86-64-appsub -+ pullSecretRef: -+ name: aws-ap-acm-provision-edge-pull-secret -+ skipMachinePools: true # Disable MachinePool as using custom install-config -+ platform: -+ aws: -+ credentialsSecretRef: -+ name: aws-ap-acm-provision-edge-creds -+ region: ap-southeast-2 -+--- -+# Source: acm/templates/provision/clusterpool.yaml -+apiVersion: hive.openshift.io/v1 -+kind: ClusterPool -+metadata: -+ name: "azure-us-acm-provision-edge" -+ annotations: -+ argocd.argoproj.io/sync-wave: "10" -+ labels: -+ cloud: azure -+ region: 'eastus' -+ vendor: OpenShift -+ cluster.open-cluster-management.io/clusterset: azure-us -+spec: -+ size: 2 -+ runningCount: 2 -+ baseDomain: blueprints.rhecoeng.com -+ installConfigSecretTemplateRef: -+ name: azure-us-acm-provision-edge-install-config -+ imageSetRef: -+ name: img4.10.18-x86-64-appsub -+ pullSecretRef: -+ name: azure-us-acm-provision-edge-pull-secret -+ skipMachinePools: true # Disable MachinePool as using custom install-config -+ platform: -+ azure: -+ credentialsSecretRef: -+ name: azure-us-acm-provision-edge-creds -+ region: eastus -+--- -+# Source: acm/templates/provision/secrets-aws.yaml -+apiVersion: external-secrets.io/v1beta1 -+kind: ExternalSecret -+metadata: -+ name: aws-ap-acm-provision-edge-creds -+spec: -+ dataFrom: -+ - extract: -+ # Expects entries called: aws_access_key_id and aws_secret_access_key -+ key: secret/data/hub/aws -+ refreshInterval: 24h0m0s -+ secretStoreRef: -+ name: vault-backend -+ kind: ClusterSecretStore -+ target: -+ name: aws-ap-acm-provision-edge-creds -+ creationPolicy: Owner -+ template: -+ type: Opaque -+--- -+# Source: acm/templates/provision/secrets-aws.yaml -+# For use when manually creating clusters with ACM -+apiVersion: external-secrets.io/v1beta1 -+kind: ExternalSecret -+metadata: -+ name: aws-ap-acm-provision-edge-infra-creds -+spec: -+ data: -+ - secretKey: openshiftPullSecret -+ remoteRef: -+ key: secret/data/hub/openshiftPullSecret -+ property: content -+ - secretKey: awsKeyId -+ remoteRef: -+ key: secret/data/hub/aws -+ property: aws_access_key_id -+ - secretKey: awsAccessKey -+ remoteRef: -+ key: secret/data/hub/aws -+ property: aws_secret_access_key -+ - secretKey: sshPublicKey -+ remoteRef: -+ key: secret/data/hub/publickey -+ property: content -+ - secretKey: sshPrivateKey -+ remoteRef: -+ key: secret/data/hub/privatekey -+ property: content -+ refreshInterval: 24h0m0s -+ secretStoreRef: -+ name: vault-backend -+ kind: ClusterSecretStore -+ target: -+ name: aws-ap-acm-provision-edge-infra-creds -+ creationPolicy: Owner -+ template: -+ type: Opaque -+ metadata: -+ labels: -+ cluster.open-cluster-management.io/credentials: "" -+ cluster.open-cluster-management.io/type: aws -+ data: -+ baseDomain: "blueprints.rhecoeng.com" -+ pullSecret: |- -+ {{ .openshiftPullSecret | toString }} -+ aws_access_key_id: |- -+ {{ .awsKeyId | toString }} -+ aws_secret_access_key: |- -+ {{ .awsAccessKey | toString }} -+ ssh-privatekey: |- -+ {{ .sshPrivateKey | toString }} -+ ssh-publickey: |- -+ {{ .sshPublicKey | toString }} -+ httpProxy: "" -+ httpsProxy: "" -+ noProxy: "" -+ additionalTrustBundle: "" -+--- -+# Source: acm/templates/provision/secrets-azure.yaml -+apiVersion: external-secrets.io/v1beta1 -+kind: ExternalSecret -+metadata: -+ name: azure-us-acm-provision-edge-creds -+spec: -+ data: -+ - secretKey: azureOsServicePrincipal -+ remoteRef: -+ key: secret/data/hub/azureOsServicePrincipal -+ property: content -+ refreshInterval: 24h0m0s -+ secretStoreRef: -+ name: vault-backend -+ kind: ClusterSecretStore -+ target: -+ name: azure-us-acm-provision-edge-creds -+ creationPolicy: Owner -+ template: -+ type: Opaque -+ data: -+ osServicePrincipal.json: |- -+ {{ .azureOsServicePrincipal | toString }} -+--- -+# Source: acm/templates/provision/secrets-azure.yaml -+# For use when manually creating clusters with ACM -+apiVersion: external-secrets.io/v1beta1 -+kind: ExternalSecret -+metadata: -+ name: azure-us-acm-provision-edge-infra-creds -+spec: -+ data: -+ - secretKey: openshiftPullSecret -+ remoteRef: -+ key: secret/data/hub/openshiftPullSecret -+ property: content -+ - secretKey: sshPublicKey -+ remoteRef: -+ key: secret/data/hub/publickey -+ property: content -+ - secretKey: sshPrivateKey -+ remoteRef: -+ key: secret/data/hub/privatekey -+ property: content -+ - secretKey: azureOsServicePrincipal -+ remoteRef: -+ key: secret/data/hub/azureOsServicePrincipal -+ property: content -+ refreshInterval: 24h0m0s -+ secretStoreRef: -+ name: vault-backend -+ kind: ClusterSecretStore -+ target: -+ name: azure-us-acm-provision-edge-infra-creds -+ creationPolicy: Owner -+ template: -+ type: Opaque -+ metadata: -+ labels: -+ cluster.open-cluster-management.io/credentials: "" -+ cluster.open-cluster-management.io/type: aws -+ data: -+ cloudName: AzurePublicCloud -+ osServicePrincipal.json: |- -+ {{ .azureOsServicePrincipal | toString }} -+ baseDomain: "blueprints.rhecoeng.com" -+ baseDomainResourceGroupName: "dojo-dns-zones" -+ pullSecret: |- -+ {{ .openshiftPullSecret | toString }} -+ ssh-privatekey: |- -+ {{ .sshPrivateKey | toString }} -+ ssh-publickey: |- -+ {{ .sshPublicKey | toString }} -+ httpProxy: "" -+ httpsProxy: "" -+ noProxy: "" -+ additionalTrustBundle: "" -+--- -+# Source: acm/templates/provision/secrets-common.yaml -+apiVersion: external-secrets.io/v1beta1 -+kind: ExternalSecret -+metadata: -+ name: aws-ap-acm-provision-edge-pull-secret -+spec: -+ data: -+ - secretKey: openshiftPullSecret -+ remoteRef: -+ key: secret/data/hub/openshiftPullSecret -+ property: content -+ refreshInterval: 24h0m0s -+ secretStoreRef: -+ name: vault-backend -+ kind: ClusterSecretStore -+ target: -+ name: aws-ap-acm-provision-edge-pull-secret -+ creationPolicy: Owner -+ template: -+ type: kubernetes.io/dockerconfigjson -+ data: -+ .dockerconfigjson: |- -+ {{ .openshiftPullSecret | toString }} -+--- -+# Source: acm/templates/provision/secrets-common.yaml -+apiVersion: external-secrets.io/v1beta1 -+kind: ExternalSecret -+metadata: -+ name: aws-ap-acm-provision-edge-ssh-private-key -+spec: -+ data: -+ - secretKey: sshPrivateKey -+ remoteRef: -+ key: secret/data/hub/privatekey -+ property: content -+ refreshInterval: 24h0m0s -+ secretStoreRef: -+ name: vault-backend -+ kind: ClusterSecretStore -+ target: -+ name: aws-ap-acm-provision-edge-ssh-private-key -+ creationPolicy: Owner -+ template: -+ type: Opaque -+ data: -+ ssh-privatekey: |- -+ {{ .sshPrivateKey | toString }} -+--- -+# Source: acm/templates/provision/secrets-common.yaml -+apiVersion: external-secrets.io/v1beta1 -+kind: ExternalSecret -+metadata: -+ name: azure-us-acm-provision-edge-pull-secret -+spec: -+ data: -+ - secretKey: openshiftPullSecret -+ remoteRef: -+ key: secret/data/hub/openshiftPullSecret -+ property: content -+ refreshInterval: 24h0m0s -+ secretStoreRef: -+ name: vault-backend -+ kind: ClusterSecretStore -+ target: -+ name: azure-us-acm-provision-edge-pull-secret -+ creationPolicy: Owner -+ template: -+ type: kubernetes.io/dockerconfigjson -+ data: -+ .dockerconfigjson: |- -+ {{ .openshiftPullSecret | toString }} -+--- -+# Source: acm/templates/provision/secrets-common.yaml -+apiVersion: external-secrets.io/v1beta1 -+kind: ExternalSecret -+metadata: -+ name: azure-us-acm-provision-edge-ssh-private-key -+spec: -+ data: -+ - secretKey: sshPrivateKey -+ remoteRef: -+ key: secret/data/hub/privatekey -+ property: content -+ refreshInterval: 24h0m0s -+ secretStoreRef: -+ name: vault-backend -+ kind: ClusterSecretStore -+ target: -+ name: azure-us-acm-provision-edge-ssh-private-key -+ creationPolicy: Owner -+ template: -+ type: Opaque -+ data: -+ ssh-privatekey: |- -+ {{ .sshPrivateKey | toString }} -+--- -+# Source: acm/templates/provision/clusterpool.yaml -+apiVersion: cluster.open-cluster-management.io/v1beta1 -+kind: ManagedClusterSet -+metadata: -+ annotations: -+ cluster.open-cluster-management.io/submariner-broker-ns: acm-provision-edge-broker -+ name: acm-provision-edge -+spec: -+ clusterSelector: -+ selectorType: LegacyClusterSetLabel - --- - # Source: acm/templates/multiclusterhub.yaml - apiVersion: operator.open-cluster-management.io/v1 -@@ -12,6 +392,38 @@ - argocd.argoproj.io/sync-wave: "-1" - spec: {} - --- -+# Source: acm/templates/policies/application-policies.yaml -+apiVersion: policy.open-cluster-management.io/v1 -+kind: PlacementBinding -+metadata: -+ name: acm-edge-placement-binding -+ annotations: -+ argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -+placementRef: -+ name: acm-edge-placement -+ kind: PlacementRule -+ apiGroup: apps.open-cluster-management.io -+subjects: -+ - name: acm-edge-clustergroup-policy -+ kind: Policy -+ apiGroup: policy.open-cluster-management.io -+--- -+# Source: acm/templates/policies/application-policies.yaml -+apiVersion: policy.open-cluster-management.io/v1 -+kind: PlacementBinding -+metadata: -+ name: acm-provision-edge-placement-binding -+ annotations: -+ argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -+placementRef: -+ name: acm-provision-edge-placement -+ kind: PlacementRule -+ apiGroup: apps.open-cluster-management.io -+subjects: -+ - name: acm-provision-edge-clustergroup-policy -+ kind: Policy -+ apiGroup: policy.open-cluster-management.io -+--- - # Source: acm/templates/policies/ocp-gitops-policy.yaml - apiVersion: policy.open-cluster-management.io/v1 - kind: PlacementBinding -@@ -28,6 +440,32 @@ - kind: Policy - apiGroup: policy.open-cluster-management.io - --- -+# Source: acm/templates/policies/application-policies.yaml -+apiVersion: apps.open-cluster-management.io/v1 -+kind: PlacementRule -+metadata: -+ name: acm-edge-placement -+spec: -+ clusterConditions: -+ - status: 'True' -+ type: ManagedClusterConditionAvailable -+ clusterSelector: -+ matchLabels: -+ clusterGroup: acm-region -+--- -+# Source: acm/templates/policies/application-policies.yaml -+apiVersion: apps.open-cluster-management.io/v1 -+kind: PlacementRule -+metadata: -+ name: acm-provision-edge-placement -+spec: -+ clusterConditions: -+ - status: 'True' -+ type: ManagedClusterConditionAvailable -+ clusterSelector: -+ matchLabels: -+ clusterGroup: region -+--- - # Source: acm/templates/policies/ocp-gitops-policy.yaml - apiVersion: apps.open-cluster-management.io/v1 - kind: PlacementRule -@@ -44,6 +482,187 @@ - values: - - OpenShift - --- -+# Source: acm/templates/policies/application-policies.yaml -+# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io -+apiVersion: policy.open-cluster-management.io/v1 -+kind: Policy -+metadata: -+ name: acm-edge-clustergroup-policy -+ annotations: -+ argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -+ argocd.argoproj.io/compare-options: IgnoreExtraneous -+spec: -+ remediationAction: enforce -+ disabled: false -+ policy-templates: -+ - objectDefinition: -+ apiVersion: policy.open-cluster-management.io/v1 -+ kind: ConfigurationPolicy -+ metadata: -+ name: acm-edge-clustergroup-config -+ spec: -+ remediationAction: enforce -+ severity: medium -+ namespaceSelector: -+ include: -+ - default -+ object-templates: -+ - complianceType: mustonlyhave -+ objectDefinition: -+ apiVersion: argoproj.io/v1alpha1 -+ kind: Application -+ metadata: -+ name: mypattern-acm-edge -+ namespace: openshift-gitops -+ finalizers: -+ - resources-finalizer.argocd.argoproj.io/foreground -+ spec: -+ project: default -+ source: -+ repoURL: https://github.com/pattern-clone/mypattern -+ targetRevision: main -+ path: common/clustergroup -+ helm: -+ ignoreMissingValueFiles: true -+ valueFiles: -+ - "/values-global.yaml" -+ - "/values-acm-edge.yaml" -+ - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' -+ # We cannot use $.Values.global.clusterVersion because that gets resolved to the -+ # hub's cluster version, whereas we want to include the spoke cluster version -+ - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml' -+ parameters: -+ - name: global.repoURL -+ value: $ARGOCD_APP_SOURCE_REPO_URL -+ - name: global.targetRevision -+ value: $ARGOCD_APP_SOURCE_TARGET_REVISION -+ - name: global.namespace -+ value: $ARGOCD_APP_NAMESPACE -+ - name: global.pattern -+ value: mypattern -+ - name: global.hubClusterDomain -+ value: apps.hub.example.com -+ - name: global.localClusterDomain -+ value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' -+ # Requires ACM 2.6 or higher -+ - name: global.clusterDomain -+ value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' -+ # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) -+ - name: global.clusterVersion -+ value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' -+ - name: global.clusterPlatform -+ value: -+ - name: clusterGroup.name -+ value: acm-edge -+ - name: clusterGroup.isHubCluster -+ value: "false" -+ destination: -+ server: https://kubernetes.default.svc -+ namespace: mypattern-acm-edge -+ syncPolicy: -+ automated: -+ prune: false -+ selfHeal: true -+ ignoreDifferences: -+ - group: apps -+ kind: Deployment -+ jsonPointers: -+ - /spec/replicas -+ - group: route.openshift.io -+ kind: Route -+ jsonPointers: -+ - /status -+--- -+# Source: acm/templates/policies/application-policies.yaml -+apiVersion: policy.open-cluster-management.io/v1 -+kind: Policy -+metadata: -+ name: acm-provision-edge-clustergroup-policy -+ annotations: -+ argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -+ argocd.argoproj.io/compare-options: IgnoreExtraneous -+spec: -+ remediationAction: enforce -+ disabled: false -+ policy-templates: -+ - objectDefinition: -+ apiVersion: policy.open-cluster-management.io/v1 -+ kind: ConfigurationPolicy -+ metadata: -+ name: acm-provision-edge-clustergroup-config -+ spec: -+ remediationAction: enforce -+ severity: medium -+ namespaceSelector: -+ include: -+ - default -+ object-templates: -+ - complianceType: mustonlyhave -+ objectDefinition: -+ apiVersion: argoproj.io/v1alpha1 -+ kind: Application -+ metadata: -+ name: mypattern-acm-provision-edge -+ namespace: openshift-gitops -+ finalizers: -+ - resources-finalizer.argocd.argoproj.io/foreground -+ spec: -+ project: default -+ source: -+ repoURL: https://github.com/pattern-clone/mypattern -+ targetRevision: main -+ path: common/clustergroup -+ helm: -+ ignoreMissingValueFiles: true -+ valueFiles: -+ - "/values-global.yaml" -+ - "/values-acm-provision-edge.yaml" -+ - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' -+ # We cannot use $.Values.global.clusterVersion because that gets resolved to the -+ # hub's cluster version, whereas we want to include the spoke cluster version -+ - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml' -+ parameters: -+ - name: global.repoURL -+ value: $ARGOCD_APP_SOURCE_REPO_URL -+ - name: global.targetRevision -+ value: $ARGOCD_APP_SOURCE_TARGET_REVISION -+ - name: global.namespace -+ value: $ARGOCD_APP_NAMESPACE -+ - name: global.pattern -+ value: mypattern -+ - name: global.hubClusterDomain -+ value: apps.hub.example.com -+ - name: global.localClusterDomain -+ value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' -+ # Requires ACM 2.6 or higher -+ - name: global.clusterDomain -+ value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' -+ # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) -+ - name: global.clusterVersion -+ value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' -+ - name: global.clusterPlatform -+ value: -+ - name: clusterGroup.name -+ value: acm-provision-edge -+ - name: clusterGroup.isHubCluster -+ value: "false" -+ destination: -+ server: https://kubernetes.default.svc -+ namespace: mypattern-acm-provision-edge -+ syncPolicy: -+ automated: -+ prune: false -+ selfHeal: true -+ ignoreDifferences: -+ - group: apps -+ kind: Deployment -+ jsonPointers: -+ - /spec/replicas -+ - group: route.openshift.io -+ kind: Route -+ jsonPointers: -+ - /status -+--- - # Source: acm/templates/policies/ocp-gitops-policy.yaml - apiVersion: policy.open-cluster-management.io/v1 - kind: Policy diff --git a/common/tests/clustergroup-industrial-edge-factory.expected.yaml b/common/tests/clustergroup-industrial-edge-factory.expected.yaml deleted file mode 100644 index 65344a57..00000000 --- a/common/tests/clustergroup-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,976 +0,0 @@ ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-factory - name: manuela-stormshift-line-dashboard -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-factory - name: manuela-stormshift-machine-sensor -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-factory - name: manuela-stormshift-messaging -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-factory - name: manuela-factory-ml-workspace -spec: ---- -# Source: clustergroup/templates/imperative/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: imperative - argocd.argoproj.io/managed-by: mypattern-factory - name: imperative ---- -# Source: clustergroup/templates/plumbing/gitops-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: mypattern-factory - # The name here needs to be consistent with - # - acm/templates/policies/application-policies.yaml - # - clustergroup/templates/applications.yaml - # - any references to secrets and route URLs in documentation - name: mypattern-factory -spec: {} ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: helm-values-configmap-factory - namespace: imperative -data: - values.yaml: | - clusterGroup: - applications: - - name: stormshift - path: charts/factory/manuela-stormshift - plugin: - name: helm-with-kustomize - project: factory - - name: odh - namespace: manuela-factory-ml-workspace - path: charts/datacenter/opendatahub - project: factory - argoCD: - configManagementPlugins: - - image: quay.io/hybridcloudpatterns/utility-container:latest - name: helm-with-kustomize - pluginArgs: - - --loglevel=debug - pluginConfig: | - apiVersion: argoproj.io/v1alpha1 - kind: ConfigManagementPlugin - metadata: - name: helm-with-kustomize - spec: - preserveFileMode: true - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-factory.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=factory - --post-renderer ./kustomize"] - initContainers: [] - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - resourceHealthChecks: - - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - kind: PersistentVolumeClaim - resourceTrackingMethod: label - imperative: - activeDeadlineSeconds: 3600 - adminClusterRoleName: imperative-admin-cluster-role - adminServiceAccountCreate: true - adminServiceAccountName: imperative-admin-sa - clusterRoleName: imperative-cluster-role - clusterRoleYaml: "" - cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' - jobName: imperative-job - jobs: - - name: test - playbook: ansible/test.yml - namespace: imperative - roleName: imperative-role - roleYaml: "" - schedule: '*/10 * * * *' - serviceAccountCreate: true - serviceAccountName: imperative-sa - valuesConfigMap: helm-values-configmap - verbosity: "" - isHubCluster: false - managedClusterGroups: {} - name: factory - namespaces: - - manuela-stormshift-line-dashboard - - manuela-stormshift-machine-sensor - - manuela-stormshift-messaging - - manuela-factory-ml-workspace - nodes: [] - operatorgroupExcludes: - - manuela-factory-ml-workspace - projects: - - factory - sharedValueFiles: [] - subscriptions: - - channel: stable - name: opendatahub-operator - source: community-operators - - channel: stable - name: seldon-operator - namespace: manuela-stormshift-messaging - source: community-operators - - channel: stable - name: amq-streams - namespace: manuela-stormshift-messaging - - channel: 7.x - name: amq-broker-rhel8 - namespace: manuela-stormshift-messaging - - channel: stable - name: red-hat-camel-k - namespace: manuela-stormshift-messaging - targetCluster: in-cluster - enabled: all - global: - clusterDomain: region.example.com - clusterPlatform: aws - clusterVersion: "4.12" - extraValueFiles: [] - git: - account: hybrid-cloud-patterns - dev_revision: main - email: someone@somewhere.com - hostname: github.com - hubClusterDomain: apps.hub.example.com - localClusterDomain: apps.region.example.com - namespace: pattern-namespace - options: - applicationRetryLimit: 20 - installPlanApproval: Automatic - syncPolicy: Manual - useCSV: true - pattern: mypattern - repoURL: https://github.com/pattern-clone/mypattern - secretStore: - backend: vault - targetRevision: main - main: - clusterGroupName: example - git: - repoURL: https://github.com/pattern-clone/mypattern - revision: main - secretStore: - kind: ClusterSecretStore - name: vault-backend ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: trusted-ca-bundle - namespace: imperative - annotations: - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: "argocd-cmp-helm-with-kustomize" - namespace: mypattern-factory -data: - "plugin.yaml": | - apiVersion: argoproj.io/v1alpha1 - kind: ConfigManagementPlugin - metadata: - name: helm-with-kustomize - spec: - preserveFileMode: true - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-factory.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=factory - --post-renderer ./kustomize"] ---- -# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: trusted-ca-bundle - namespace: mypattern-factory - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-admin-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-cluster-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-admin-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-admin-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-gitops-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - name: openshift-gitops-argocd-server - namespace: openshift-gitops ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mypattern-factory-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-application-controller - name: factory-gitops-argocd-application-controller - namespace: mypattern-factory - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-server - name: factory-gitops-argocd-server - namespace: mypattern-factory - # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76) - - kind: ServiceAccount - name: factory-gitops-argocd-dex-server - namespace: mypattern-factory ---- -# Source: clustergroup/templates/imperative/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: imperative-role - namespace: imperative -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: imperative-rolebinding - namespace: imperative -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: imperative-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/job.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: imperative-cronjob - namespace: imperative -spec: - schedule: "*/10 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: imperative-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: test - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - ansible/test.yml - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-factory - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/core/subscriptions.yaml ---- ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: factory - namespace: mypattern-factory -spec: - description: "Pattern factory" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: stormshift - namespace: mypattern-factory - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: mypattern-factory - project: factory - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/factory/manuela-stormshift - plugin: { - "name": "helm-with-kustomize" -} - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: odh - namespace: mypattern-factory - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: manuela-factory-ml-workspace - project: factory - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/opendatahub - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-factory.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-factory.yaml" - - "/values-4.12-factory.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1beta1 -kind: ArgoCD -metadata: - finalizers: - - argoproj.io/finalizer - # Changing the name affects the ClusterRoleBinding, the generated secret, - # route URL, and argocd.argoproj.io/managed-by annotations - name: factory-gitops - namespace: mypattern-factory - annotations: - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: -# Adding health checks to argocd to prevent pvc resources -# that aren't bound state from blocking deployments - resourceHealthChecks: - - kind: PersistentVolumeClaim - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - - resourceTrackingMethod: label - applicationInstanceLabelKey: argocd.argoproj.io/instance - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - controller: - processors: {} - resources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: 500m - memory: 2Gi - sso: - provider: dex - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - rbac: - defaultPolicy: role:admin - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - sidecarContainers: - - name: helm-with-kustomize - command: [/var/run/argocd/argocd-cmp-server] - args: [ - "--loglevel=debug" -] - image: quay.io/hybridcloudpatterns/utility-container:latest - imagePullPolicy: Always - securityContext: - runAsNonRoot: true - volumeMounts: - - mountPath: /var/run/argocd - name: var-files - - mountPath: /home/argocd/cmp-server/plugins - name: plugins - - mountPath: /tmp - name: cmp-tmp - - mountPath: /home/argocd/cmp-server/config/plugin.yaml - subPath: plugin.yaml - name: helm-with-kustomize - volumes: - - emptyDir: {} - name: cmp-tmp - - configMap: - name: "argocd-cmp-helm-with-kustomize" - name: helm-with-kustomize - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - service: - type: "" - tls: - ca: {} -status: ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: factory-gitops-link - namespace: mypattern-factory -spec: - applicationMenu: - section: OpenShift GitOps - imageURL:  - href: 'https://factory-gitops-server-mypattern-factory.apps.region.example.com' - location: ApplicationMenu - text: 'Factory ArgoCD' ---- -# Source: clustergroup/templates/core/operatorgroup.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: manuela-stormshift-line-dashboard-operator-group - namespace: manuela-stormshift-line-dashboard -spec: - targetNamespaces: - - manuela-stormshift-line-dashboard ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: manuela-stormshift-machine-sensor-operator-group - namespace: manuela-stormshift-machine-sensor -spec: - targetNamespaces: - - manuela-stormshift-machine-sensor ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: manuela-stormshift-messaging-operator-group - namespace: manuela-stormshift-messaging -spec: - targetNamespaces: - - manuela-stormshift-messaging ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: opendatahub-operator - namespace: openshift-operators -spec: - name: opendatahub-operator - source: community-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: seldon-operator - namespace: manuela-stormshift-messaging -spec: - name: seldon-operator - source: community-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: amq-streams - namespace: manuela-stormshift-messaging -spec: - name: amq-streams - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: amq-broker-rhel8 - namespace: manuela-stormshift-messaging -spec: - name: amq-broker-rhel8 - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: 7.x - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: red-hat-camel-k - namespace: manuela-stormshift-messaging -spec: - name: red-hat-camel-k - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: diff --git a/common/tests/clustergroup-industrial-edge-hub.expected.yaml b/common/tests/clustergroup-industrial-edge-hub.expected.yaml deleted file mode 100644 index 1038e54a..00000000 --- a/common/tests/clustergroup-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,1912 +0,0 @@ ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: golang-external-secrets -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: external-secrets -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: open-cluster-management -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: manuela-ml-workspace -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: manuela-tst-all -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: manuela-ci -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: manuela-data-lake -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: staging -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-datacenter - name: vault -spec: ---- -# Source: clustergroup/templates/imperative/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: imperative - argocd.argoproj.io/managed-by: mypattern-datacenter - name: imperative ---- -# Source: clustergroup/templates/plumbing/gitops-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: mypattern-datacenter - # The name here needs to be consistent with - # - acm/templates/policies/application-policies.yaml - # - clustergroup/templates/applications.yaml - # - any references to secrets and route URLs in documentation - name: mypattern-datacenter -spec: {} ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: helm-values-configmap-datacenter - namespace: imperative -data: - values.yaml: | - clusterGroup: - applications: - acm: - ignoreDifferences: - - group: internal.open-cluster-management.io - jsonPointers: - - /spec/loggingCA - kind: ManagedClusterInfo - name: acm - namespace: open-cluster-management - path: common/acm - project: datacenter - odh: - name: odh - namespace: manuela-ml-workspace - path: charts/datacenter/opendatahub - project: datacenter - pipelines: - name: pipelines - namespace: manuela-ci - path: charts/datacenter/pipelines - project: datacenter - production-data-lake: - ignoreDifferences: - - group: apps - jsonPointers: - - /spec/replicas - kind: Deployment - - group: route.openshift.io - jsonPointers: - - /status - kind: Route - - group: image.openshift.io - jsonPointers: - - /spec/tags - kind: ImageStream - - group: apps.openshift.io - jsonPointers: - - /spec/template/spec/containers/0/image - kind: DeploymentConfig - name: production-data-lake - namespace: manuela-data-lake - path: charts/datacenter/manuela-data-lake - project: production-datalake - secrets: - name: external-secrets - namespace: external-secrets - path: charts/datacenter/external-secrets - project: golang-external-secrets - secrets-operator: - name: golang-external-secrets - namespace: golang-external-secrets - path: common/golang-external-secrets - project: golang-external-secrets - test: - name: manuela-test - namespace: manuela-tst-all - path: charts/datacenter/manuela-tst - plugin: - name: helm-with-kustomize - project: datacenter - vault: - chart: vault - name: vault - namespace: vault - overrides: - - name: global.openshift - value: "true" - - name: injector.enabled - value: "false" - - name: ui.enabled - value: "true" - - name: ui.serviceType - value: LoadBalancer - - name: server.route.enabled - value: "true" - - name: server.route.host - value: null - - name: server.route.tls.termination - value: edge - - name: server.image.repository - value: registry.connect.redhat.com/hashicorp/vault - - name: server.image.tag - value: 1.10.3-ubi - project: datacenter - repoURL: https://helm.releases.hashicorp.com - targetRevision: v0.20.1 - argoCD: - configManagementPlugins: - - image: quay.io/hybridcloudpatterns/utility-container:latest - name: helm-with-kustomize - pluginArgs: - - --loglevel=debug - pluginConfig: | - apiVersion: argoproj.io/v1alpha1 - kind: ConfigManagementPlugin - metadata: - name: helm-with-kustomize - spec: - preserveFileMode: true - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-datacenter.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=datacenter - --post-renderer ./kustomize"] - initContainers: [] - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - resourceHealthChecks: - - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - kind: PersistentVolumeClaim - resourceTrackingMethod: label - imperative: - activeDeadlineSeconds: 3600 - adminClusterRoleName: imperative-admin-cluster-role - adminServiceAccountCreate: true - adminServiceAccountName: imperative-admin-sa - clusterRoleName: imperative-cluster-role - clusterRoleYaml: "" - cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' - jobName: imperative-job - jobs: - - name: test - playbook: ansible/test.yml - namespace: imperative - roleName: imperative-role - roleYaml: "" - schedule: '*/10 * * * *' - serviceAccountCreate: true - serviceAccountName: imperative-sa - valuesConfigMap: helm-values-configmap - verbosity: "" - isHubCluster: true - managedClusterGroups: - factory: - clusterSelector: - matchExpressions: - - key: vendor - operator: In - values: - - OpenShift - matchLabels: - clusterGroup: factory - helmOverrides: - - name: clusterGroup.isHubCluster - value: "false" - name: factory - name: datacenter - namespaces: - - golang-external-secrets - - external-secrets - - open-cluster-management - - manuela-ml-workspace - - manuela-tst-all - - manuela-ci - - manuela-data-lake - - staging - - vault - nodes: [] - operatorgroupExcludes: - - manuela-ml-workspace - projects: - - datacenter - - production-datalake - - golang-external-secrets - - vault - sharedValueFiles: [] - subscriptions: - acm: - channel: release-2.6 - name: advanced-cluster-management - namespace: open-cluster-management - amqbroker-prod: - channel: 7.x - name: amq-broker-rhel8 - namespace: manuela-tst-all - amqstreams-prod-dev: - channel: stable - name: amq-streams - namespaces: - - manuela-data-lake - - manuela-tst-all - camelk-prod-dev: - channel: stable - name: red-hat-camel-k - namespaces: - - manuela-data-lake - - manuela-tst-all - odh: - channel: stable - name: opendatahub-operator - source: community-operators - pipelines: - channel: latest - name: openshift-pipelines-operator-rh - source: redhat-operators - seldon-prod-dev: - channel: stable - name: seldon-operator - namespaces: - - manuela-ml-workspace - - manuela-tst-all - source: community-operators - targetCluster: in-cluster - enabled: all - global: - clusterDomain: region.example.com - clusterPlatform: aws - clusterVersion: "4.12" - extraValueFiles: [] - git: - account: hybrid-cloud-patterns - dev_revision: main - email: someone@somewhere.com - hostname: github.com - hubClusterDomain: apps.hub.example.com - localClusterDomain: apps.region.example.com - namespace: pattern-namespace - options: - applicationRetryLimit: 20 - installPlanApproval: Automatic - syncPolicy: Manual - useCSV: true - pattern: mypattern - repoURL: https://github.com/pattern-clone/mypattern - secretStore: - backend: vault - targetRevision: main - main: - clusterGroupName: example - git: - repoURL: https://github.com/pattern-clone/mypattern - revision: main - secretStore: - kind: ClusterSecretStore - name: vault-backend ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: trusted-ca-bundle - namespace: imperative - annotations: - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: "argocd-cmp-helm-with-kustomize" - namespace: mypattern-datacenter -data: - "plugin.yaml": | - apiVersion: argoproj.io/v1alpha1 - kind: ConfigManagementPlugin - metadata: - name: helm-with-kustomize - spec: - preserveFileMode: true - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-datacenter.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=mypattern - --set global.clusterDomain=region.example.com - --set global.hubClusterDomain=apps.hub.example.com - --set global.localClusterDomain=apps.region.example.com - --set clusterGroup.name=datacenter - --post-renderer ./kustomize"] ---- -# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: trusted-ca-bundle - namespace: mypattern-datacenter - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-admin-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-cluster-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-admin-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-admin-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-gitops-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - name: openshift-gitops-argocd-server - namespace: openshift-gitops ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mypattern-datacenter-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-application-controller - name: datacenter-gitops-argocd-application-controller - namespace: mypattern-datacenter - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-server - name: datacenter-gitops-argocd-server - namespace: mypattern-datacenter - # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76) - - kind: ServiceAccount - name: datacenter-gitops-argocd-dex-server - namespace: mypattern-datacenter ---- -# Source: clustergroup/templates/imperative/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: imperative-role - namespace: imperative -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: imperative-rolebinding - namespace: imperative -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: imperative-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/job.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: imperative-cronjob - namespace: imperative -spec: - schedule: "*/10 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: imperative-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: test - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - ansible/test.yml - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-datacenter - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/imperative/unsealjob.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: unsealvault-cronjob - namespace: imperative -spec: - schedule: "*/5 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: unsealvault-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - -t - - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init' - - "common/ansible/playbooks/vault/vault.yaml" - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-datacenter - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/core/subscriptions.yaml ---- ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: datacenter - namespace: mypattern-datacenter -spec: - description: "Pattern datacenter" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: production-datalake - namespace: mypattern-datacenter -spec: - description: "Pattern production-datalake" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: golang-external-secrets - namespace: mypattern-datacenter -spec: - description: "Pattern golang-external-secrets" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: vault - namespace: mypattern-datacenter -spec: - description: "Pattern vault" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: acm - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: open-cluster-management - project: datacenter - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/acm - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - ignoreDifferences: [ - { - "group": "internal.open-cluster-management.io", - "jsonPointers": [ - "/spec/loggingCA" - ], - "kind": "ManagedClusterInfo" - } -] - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: odh - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: manuela-ml-workspace - project: datacenter - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/opendatahub - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: pipelines - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: manuela-ci - project: datacenter - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/pipelines - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: production-data-lake - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: manuela-data-lake - project: production-datalake - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/manuela-data-lake - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - ignoreDifferences: [ - { - "group": "apps", - "jsonPointers": [ - "/spec/replicas" - ], - "kind": "Deployment" - }, - { - "group": "route.openshift.io", - "jsonPointers": [ - "/status" - ], - "kind": "Route" - }, - { - "group": "image.openshift.io", - "jsonPointers": [ - "/spec/tags" - ], - "kind": "ImageStream" - }, - { - "group": "apps.openshift.io", - "jsonPointers": [ - "/spec/template/spec/containers/0/image" - ], - "kind": "DeploymentConfig" - } -] - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: external-secrets - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: external-secrets - project: golang-external-secrets - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/external-secrets - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: golang-external-secrets - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: golang-external-secrets - project: golang-external-secrets - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/golang-external-secrets - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: manuela-test - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: manuela-tst-all - project: datacenter - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/manuela-tst - plugin: { - "name": "helm-with-kustomize" -} - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault - namespace: mypattern-datacenter - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: vault - project: datacenter - source: - repoURL: https://helm.releases.hashicorp.com - targetRevision: v0.20.1 - chart: vault - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-datacenter.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-datacenter.yaml" - - "/values-4.12-datacenter.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: global.openshift - value: "true" - - name: injector.enabled - value: "false" - - name: ui.enabled - value: "true" - - name: ui.serviceType - value: "LoadBalancer" - - name: server.route.enabled - value: "true" - - name: server.route.host - value: - - name: server.route.tls.termination - value: "edge" - - name: server.image.repository - value: "registry.connect.redhat.com/hashicorp/vault" - - name: server.image.tag - value: "1.10.3-ubi" - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1beta1 -kind: ArgoCD -metadata: - finalizers: - - argoproj.io/finalizer - # Changing the name affects the ClusterRoleBinding, the generated secret, - # route URL, and argocd.argoproj.io/managed-by annotations - name: datacenter-gitops - namespace: mypattern-datacenter - annotations: - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: -# Adding health checks to argocd to prevent pvc resources -# that aren't bound state from blocking deployments - resourceHealthChecks: - - kind: PersistentVolumeClaim - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - - resourceTrackingMethod: label - applicationInstanceLabelKey: argocd.argoproj.io/instance - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - controller: - processors: {} - resources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: 500m - memory: 2Gi - sso: - provider: dex - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - rbac: - defaultPolicy: role:admin - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - sidecarContainers: - - name: helm-with-kustomize - command: [/var/run/argocd/argocd-cmp-server] - args: [ - "--loglevel=debug" -] - image: quay.io/hybridcloudpatterns/utility-container:latest - imagePullPolicy: Always - securityContext: - runAsNonRoot: true - volumeMounts: - - mountPath: /var/run/argocd - name: var-files - - mountPath: /home/argocd/cmp-server/plugins - name: plugins - - mountPath: /tmp - name: cmp-tmp - - mountPath: /home/argocd/cmp-server/config/plugin.yaml - subPath: plugin.yaml - name: helm-with-kustomize - volumes: - - emptyDir: {} - name: cmp-tmp - - configMap: - name: "argocd-cmp-helm-with-kustomize" - name: helm-with-kustomize - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - service: - type: "" - tls: - ca: {} -status: ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: datacenter-gitops-link - namespace: mypattern-datacenter -spec: - applicationMenu: - section: OpenShift GitOps - imageURL:  - href: 'https://datacenter-gitops-server-mypattern-datacenter.apps.region.example.com' - location: ApplicationMenu - text: 'Datacenter ArgoCD' ---- -# Source: clustergroup/templates/core/operatorgroup.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: golang-external-secrets-operator-group - namespace: golang-external-secrets -spec: - targetNamespaces: - - golang-external-secrets ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: external-secrets-operator-group - namespace: external-secrets -spec: - targetNamespaces: - - external-secrets ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: open-cluster-management-operator-group - namespace: open-cluster-management -spec: - targetNamespaces: - - open-cluster-management ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: manuela-tst-all-operator-group - namespace: manuela-tst-all -spec: - targetNamespaces: - - manuela-tst-all ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: manuela-ci-operator-group - namespace: manuela-ci -spec: - targetNamespaces: - - manuela-ci ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: manuela-data-lake-operator-group - namespace: manuela-data-lake -spec: - targetNamespaces: - - manuela-data-lake ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: staging-operator-group - namespace: staging -spec: - targetNamespaces: - - staging ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: vault-operator-group - namespace: vault -spec: - targetNamespaces: - - vault ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: advanced-cluster-management - namespace: open-cluster-management -spec: - name: advanced-cluster-management - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: release-2.6 - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: amq-broker-rhel8 - namespace: manuela-tst-all -spec: - name: amq-broker-rhel8 - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: 7.x - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: amq-streams - namespace: manuela-data-lake -spec: - name: amq-streams - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: amq-streams - namespace: manuela-tst-all -spec: - name: amq-streams - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: red-hat-camel-k - namespace: manuela-data-lake -spec: - name: red-hat-camel-k - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: red-hat-camel-k - namespace: manuela-tst-all -spec: - name: red-hat-camel-k - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: opendatahub-operator - namespace: openshift-operators -spec: - name: opendatahub-operator - source: community-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-pipelines-operator-rh - namespace: openshift-operators -spec: - name: openshift-pipelines-operator-rh - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: latest - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: seldon-operator - namespace: manuela-ml-workspace -spec: - name: seldon-operator - source: community-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: seldon-operator - namespace: manuela-tst-all -spec: - name: seldon-operator - source: community-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: diff --git a/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 51bff564..00000000 --- a/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,2047 +0,0 @@ ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: open-cluster-management -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: openshift-serverless -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: opendatahub -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: openshift-storage -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: xraylab-1 -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: knative-serving -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: staging -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: vault -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-hub - name: golang-external-secrets -spec: ---- -# Source: clustergroup/templates/imperative/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: imperative - argocd.argoproj.io/managed-by: mypattern-hub - name: imperative ---- -# Source: clustergroup/templates/plumbing/gitops-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: mypattern-hub - # The name here needs to be consistent with - # - acm/templates/policies/application-policies.yaml - # - clustergroup/templates/applications.yaml - # - any references to secrets and route URLs in documentation - name: mypattern-hub -spec: {} ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: helm-values-configmap-hub - namespace: imperative -data: - values.yaml: | - clusterGroup: - applications: - golang-external-secrets: - name: golang-external-secrets - namespace: golang-external-secrets - path: common/golang-external-secrets - project: hub - kafdrop: - name: kafdrop - namespace: xraylab-1 - path: charts/all/kafdrop - project: medical-diagnosis - kafka: - name: kafka - namespace: xraylab-1 - path: charts/all/kafka - project: medical-diagnosis - opendatahub: - name: odh - namespace: opendatahub - path: charts/all/opendatahub - project: medical-diagnosis - openshift-data-foundations: - name: odf - namespace: openshift-storage - path: charts/all/openshift-data-foundations - project: medical-diagnosis - openshift-serverless: - name: serverless - namespace: xraylab-1 - path: charts/all/openshift-serverless - project: medical-diagnosis - service-account: - name: xraylab-service-account - namespace: xraylab-1 - path: charts/all/medical-diagnosis/service-account - project: medical-diagnosis - vault: - chart: vault - name: vault - namespace: vault - overrides: - - name: global.openshift - value: "true" - - name: injector.enabled - value: "false" - - name: ui.enabled - value: "true" - - name: ui.serviceType - value: LoadBalancer - - name: server.route.enabled - value: "true" - - name: server.route.host - value: null - - name: server.route.tls.termination - value: edge - - name: server.image.repository - value: registry.connect.redhat.com/hashicorp/vault - - name: server.image.tag - value: 1.10.3-ubi - project: hub - repoURL: https://helm.releases.hashicorp.com - targetRevision: v0.20.1 - xraylab-database: - name: xraylab-database - namespace: xraylab-1 - path: charts/all/medical-diagnosis/database - project: medical-diagnosis - xraylab-grafana-dashboards: - name: xraylab-grafana-dashboards - namespace: xraylab-1 - path: charts/all/medical-diagnosis/grafana - project: medical-diagnosis - xraylab-image-generator: - ignoreDifferences: - - group: apps.openshift.io - jqPathExpressions: - - .spec.template.spec.containers[].image - kind: DeploymentConfig - name: xraylab-image-generator - namespace: xraylab-1 - path: charts/all/medical-diagnosis/image-generator - project: medical-diagnosis - xraylab-image-server: - ignoreDifferences: - - group: apps.openshift.io - jqPathExpressions: - - .spec.template.spec.containers[].image - kind: DeploymentConfig - name: xraylab-image-server - namespace: xraylab-1 - path: charts/all/medical-diagnosis/image-server - project: medical-diagnosis - xraylab-init: - name: xraylab-init - namespace: xraylab-1 - path: charts/all/medical-diagnosis/xray-init - project: medical-diagnosis - argoCD: - configManagementPlugins: [] - initContainers: [] - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - resourceHealthChecks: - - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - kind: PersistentVolumeClaim - resourceTrackingMethod: label - imperative: - activeDeadlineSeconds: 3600 - adminClusterRoleName: imperative-admin-cluster-role - adminServiceAccountCreate: true - adminServiceAccountName: imperative-admin-sa - clusterRoleName: imperative-cluster-role - clusterRoleYaml: "" - cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' - jobName: imperative-job - jobs: - - name: test - playbook: ansible/test.yml - timeout: 234 - namespace: imperative - roleName: imperative-role - roleYaml: "" - schedule: '*/10 * * * *' - serviceAccountCreate: true - serviceAccountName: imperative-sa - valuesConfigMap: helm-values-configmap - verbosity: "" - isHubCluster: true - managedClusterGroups: - region-one: - clusterSelector: - matchLabels: - clusterGroup: region-one - helmOverrides: - - name: clusterGroup.isHubCluster - value: false - name: region-one - name: hub - namespaces: - - open-cluster-management - - openshift-serverless - - opendatahub - - openshift-storage - - xraylab-1 - - knative-serving - - staging - - vault - - golang-external-secrets - nodes: [] - projects: - - hub - - medical-diagnosis - sharedValueFiles: [] - subscriptions: - amq-streams: - channel: stable - name: amq-streams - namespace: xraylab-1 - grafana: - channel: v4 - name: grafana-operator - namespace: xraylab-1 - source: community-operators - odf: - channel: stable-4.11 - name: odf-operator - namespace: openshift-storage - opendatahub: - name: opendatahub-operator - source: community-operators - severless: - channel: stable - name: serverless-operator - targetCluster: in-cluster - enabled: all - global: - clusterDomain: region.example.com - clusterPlatform: aws - clusterVersion: "4.12" - extraValueFiles: [] - git: - account: hybrid-cloud-patterns - dev_revision: main - email: someone@somewhere.com - hostname: github.com - hubClusterDomain: apps.hub.example.com - localClusterDomain: apps.region.example.com - namespace: pattern-namespace - options: - applicationRetryLimit: 20 - installPlanApproval: Automatic - syncPolicy: Manual - useCSV: true - pattern: mypattern - repoURL: https://github.com/pattern-clone/mypattern - secretStore: - backend: vault - targetRevision: main - main: - clusterGroupName: example - git: - repoURL: https://github.com/pattern-clone/mypattern - revision: main - secretStore: - kind: ClusterSecretStore - name: vault-backend ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: trusted-ca-bundle - namespace: imperative - annotations: - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: trusted-ca-bundle - namespace: mypattern-hub - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-admin-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-cluster-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-admin-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-admin-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-gitops-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - name: openshift-gitops-argocd-server - namespace: openshift-gitops ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mypattern-hub-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-application-controller - name: hub-gitops-argocd-application-controller - namespace: mypattern-hub - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-server - name: hub-gitops-argocd-server - namespace: mypattern-hub - # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76) - - kind: ServiceAccount - name: hub-gitops-argocd-dex-server - namespace: mypattern-hub ---- -# Source: clustergroup/templates/imperative/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: imperative-role - namespace: imperative -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: imperative-rolebinding - namespace: imperative -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: imperative-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/job.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: imperative-cronjob - namespace: imperative -spec: - schedule: "*/10 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: imperative-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: test - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "234" - - ansible-playbook - - -e - - "@/values/values.yaml" - - ansible/test.yml - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-hub - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/imperative/unsealjob.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: unsealvault-cronjob - namespace: imperative -spec: - schedule: "*/5 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: unsealvault-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - -t - - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init' - - "common/ansible/playbooks/vault/vault.yaml" - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-hub - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/core/subscriptions.yaml ---- ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: hub - namespace: mypattern-hub -spec: - description: "Pattern hub" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: medical-diagnosis - namespace: mypattern-hub -spec: - description: "Pattern medical-diagnosis" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: golang-external-secrets - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: golang-external-secrets - project: hub - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/golang-external-secrets - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kafdrop - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/kafdrop - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kafka - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/kafka - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: odh - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: opendatahub - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/opendatahub - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: odf - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: openshift-storage - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/openshift-data-foundations - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: serverless - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/openshift-serverless - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: xraylab-service-account - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/medical-diagnosis/service-account - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: vault - project: hub - source: - repoURL: https://helm.releases.hashicorp.com - targetRevision: v0.20.1 - chart: vault - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - - name: global.openshift - value: "true" - - name: injector.enabled - value: "false" - - name: ui.enabled - value: "true" - - name: ui.serviceType - value: "LoadBalancer" - - name: server.route.enabled - value: "true" - - name: server.route.host - value: - - name: server.route.tls.termination - value: "edge" - - name: server.image.repository - value: "registry.connect.redhat.com/hashicorp/vault" - - name: server.image.tag - value: "1.10.3-ubi" - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: xraylab-database - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/medical-diagnosis/database - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: xraylab-grafana-dashboards - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/medical-diagnosis/grafana - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: xraylab-image-generator - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/medical-diagnosis/image-generator - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - ignoreDifferences: [ - { - "group": "apps.openshift.io", - "jqPathExpressions": [ - ".spec.template.spec.containers[].image" - ], - "kind": "DeploymentConfig" - } -] - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: xraylab-image-server - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/medical-diagnosis/image-server - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - ignoreDifferences: [ - { - "group": "apps.openshift.io", - "jqPathExpressions": [ - ".spec.template.spec.containers[].image" - ], - "kind": "DeploymentConfig" - } -] - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: xraylab-init - namespace: mypattern-hub - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: xraylab-1 - project: medical-diagnosis - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/all/medical-diagnosis/xray-init - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-hub.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-hub.yaml" - - "/values-4.12-hub.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1beta1 -kind: ArgoCD -metadata: - finalizers: - - argoproj.io/finalizer - # Changing the name affects the ClusterRoleBinding, the generated secret, - # route URL, and argocd.argoproj.io/managed-by annotations - name: hub-gitops - namespace: mypattern-hub - annotations: - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: -# Adding health checks to argocd to prevent pvc resources -# that aren't bound state from blocking deployments - resourceHealthChecks: - - kind: PersistentVolumeClaim - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - - resourceTrackingMethod: label - applicationInstanceLabelKey: argocd.argoproj.io/instance - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - controller: - processors: {} - resources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: 500m - memory: 2Gi - sso: - provider: dex - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - rbac: - defaultPolicy: role:admin - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - service: - type: "" - tls: - ca: {} -status: ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: hub-gitops-link - namespace: mypattern-hub -spec: - applicationMenu: - section: OpenShift GitOps - imageURL:  - href: 'https://hub-gitops-server-mypattern-hub.apps.region.example.com' - location: ApplicationMenu - text: 'Hub ArgoCD' ---- -# Source: clustergroup/templates/core/operatorgroup.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: open-cluster-management-operator-group - namespace: open-cluster-management -spec: - targetNamespaces: - - open-cluster-management ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: openshift-serverless-operator-group - namespace: openshift-serverless -spec: - targetNamespaces: - - openshift-serverless ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: opendatahub-operator-group - namespace: opendatahub -spec: - targetNamespaces: - - opendatahub ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: openshift-storage-operator-group - namespace: openshift-storage -spec: - targetNamespaces: - - openshift-storage ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: xraylab-1-operator-group - namespace: xraylab-1 -spec: - targetNamespaces: - - xraylab-1 ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: knative-serving-operator-group - namespace: knative-serving -spec: - targetNamespaces: - - knative-serving ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: staging-operator-group - namespace: staging -spec: - targetNamespaces: - - staging ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: vault-operator-group - namespace: vault -spec: - targetNamespaces: - - vault ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: golang-external-secrets-operator-group - namespace: golang-external-secrets -spec: - targetNamespaces: - - golang-external-secrets ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: amq-streams - namespace: xraylab-1 -spec: - name: amq-streams - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: grafana-operator - namespace: xraylab-1 -spec: - name: grafana-operator - source: community-operators - sourceNamespace: openshift-marketplace - channel: v4 - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: odf-operator - namespace: openshift-storage -spec: - name: odf-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable-4.11 - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: opendatahub-operator - namespace: openshift-operators -spec: - name: opendatahub-operator - source: community-operators - sourceNamespace: openshift-marketplace - installPlanApproval: Automatic - startingCSV: ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: serverless-operator - namespace: openshift-operators -spec: - name: serverless-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: stable - installPlanApproval: Automatic - startingCSV: diff --git a/common/tests/clustergroup-naked.expected.yaml b/common/tests/clustergroup-naked.expected.yaml deleted file mode 100644 index 7a9f94b2..00000000 --- a/common/tests/clustergroup-naked.expected.yaml +++ /dev/null @@ -1,588 +0,0 @@ ---- -# Source: clustergroup/templates/imperative/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: imperative - argocd.argoproj.io/managed-by: common-example - name: imperative ---- -# Source: clustergroup/templates/plumbing/gitops-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: common-example - # The name here needs to be consistent with - # - acm/templates/policies/application-policies.yaml - # - clustergroup/templates/applications.yaml - # - any references to secrets and route URLs in documentation - name: common-example -spec: {} ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: helm-values-configmap-example - namespace: imperative -data: - values.yaml: | - clusterGroup: - applications: {} - argoCD: - configManagementPlugins: [] - initContainers: [] - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - resourceHealthChecks: - - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - kind: PersistentVolumeClaim - resourceTrackingMethod: label - imperative: - activeDeadlineSeconds: 3600 - adminClusterRoleName: imperative-admin-cluster-role - adminServiceAccountCreate: true - adminServiceAccountName: imperative-admin-sa - clusterRoleName: imperative-cluster-role - clusterRoleYaml: "" - cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' - jobName: imperative-job - jobs: [] - namespace: imperative - roleName: imperative-role - roleYaml: "" - schedule: '*/10 * * * *' - serviceAccountCreate: true - serviceAccountName: imperative-sa - valuesConfigMap: helm-values-configmap - verbosity: "" - isHubCluster: true - managedClusterGroups: {} - name: example - namespaces: [] - nodes: [] - projects: [] - sharedValueFiles: [] - subscriptions: {} - targetCluster: in-cluster - enabled: all - global: - extraValueFiles: [] - options: - applicationRetryLimit: 20 - installPlanApproval: Automatic - syncPolicy: Automatic - useCSV: true - pattern: common - secretStore: - backend: vault - targetRevision: main - secretStore: - kind: ClusterSecretStore - name: vault-backend ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: trusted-ca-bundle - namespace: imperative - annotations: - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: trusted-ca-bundle - namespace: common-example - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-admin-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-cluster-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-admin-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-admin-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-gitops-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - name: openshift-gitops-argocd-server - namespace: openshift-gitops ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-example-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-application-controller - name: example-gitops-argocd-application-controller - namespace: common-example - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-server - name: example-gitops-argocd-server - namespace: common-example - # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76) - - kind: ServiceAccount - name: example-gitops-argocd-dex-server - namespace: common-example ---- -# Source: clustergroup/templates/imperative/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: imperative-role - namespace: imperative -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: imperative-rolebinding - namespace: imperative -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: imperative-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/unsealjob.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: unsealvault-cronjob - namespace: imperative -spec: - schedule: "*/5 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: unsealvault-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL=""; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - -t - - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init' - - "common/ansible/playbooks/vault/vault.yaml" - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1beta1 -kind: ArgoCD -metadata: - finalizers: - - argoproj.io/finalizer - # Changing the name affects the ClusterRoleBinding, the generated secret, - # route URL, and argocd.argoproj.io/managed-by annotations - name: example-gitops - namespace: common-example - annotations: - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: -# Adding health checks to argocd to prevent pvc resources -# that aren't bound state from blocking deployments - resourceHealthChecks: - - kind: PersistentVolumeClaim - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - - resourceTrackingMethod: label - applicationInstanceLabelKey: argocd.argoproj.io/instance - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - controller: - processors: {} - resources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: 500m - memory: 2Gi - sso: - provider: dex - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - rbac: - defaultPolicy: role:admin - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - service: - type: "" - tls: - ca: {} -status: ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: example-gitops-link - namespace: common-example -spec: - applicationMenu: - section: OpenShift GitOps - imageURL:  - href: 'https://example-gitops-server-common-example.' - location: ApplicationMenu - text: 'Example ArgoCD' diff --git a/common/tests/clustergroup-normal.expected.yaml b/common/tests/clustergroup-normal.expected.yaml deleted file mode 100644 index b038286e..00000000 --- a/common/tests/clustergroup-normal.expected.yaml +++ /dev/null @@ -1,1490 +0,0 @@ ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: open-cluster-management - labels: - argocd.argoproj.io/managed-by: mypattern-example - kubernetes.io/os: "linux" - openshift.io/node-selector: "" - annotations: - openshift.io/cluster-monitoring: "true" - owner: "namespace owner" -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: application-ci - labels: - argocd.argoproj.io/managed-by: mypattern-example -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: exclude-targetns - labels: - argocd.argoproj.io/managed-by: mypattern-example -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-example - name: include-ci -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - argocd.argoproj.io/managed-by: mypattern-example - name: exclude-og -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: totally-exclude-og - labels: - argocd.argoproj.io/managed-by: mypattern-example -spec: ---- -# Source: clustergroup/templates/core/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: include-default-og - labels: - argocd.argoproj.io/managed-by: mypattern-example -spec: ---- -# Source: clustergroup/templates/imperative/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: imperative - argocd.argoproj.io/managed-by: mypattern-example - name: imperative ---- -# Source: clustergroup/templates/plumbing/gitops-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: mypattern-example - # The name here needs to be consistent with - # - acm/templates/policies/application-policies.yaml - # - clustergroup/templates/applications.yaml - # - any references to secrets and route URLs in documentation - name: mypattern-example -spec: {} ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: helm-values-configmap-example - namespace: imperative -data: - values.yaml: | - clusterGroup: - applications: - acm: - ignoreDifferences: - - group: internal.open-cluster-management.io - jsonPointers: - - /spec/loggingCA - kind: ManagedClusterInfo - name: acm - namespace: open-cluster-management - path: common/acm - project: datacenter - pipe: - extraValueFiles: - - /values/4.12/aws.yaml - name: pipelines - namespace: application-ci - path: charts/datacenter/pipelines - project: datacenter - argoCD: - configManagementPlugins: [] - initContainers: [] - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - resourceHealthChecks: - - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - kind: PersistentVolumeClaim - resourceTrackingMethod: label - imperative: - activeDeadlineSeconds: 3600 - adminClusterRoleName: imperative-admin-cluster-role - adminServiceAccountCreate: true - adminServiceAccountName: imperative-admin-sa - clusterRoleName: imperative-cluster-role - clusterRoleYaml: "" - cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' - jobName: imperative-job - jobs: - - name: test - playbook: ansible/test.yml - timeout: 234 - namespace: imperative - roleName: imperative-role - roleYaml: "" - schedule: '*/10 * * * *' - serviceAccountCreate: true - serviceAccountName: imperative-sa - valuesConfigMap: helm-values-configmap - verbosity: "" - isHubCluster: true - managedClusterGroups: - - acmlabels: - - name: clusterGroup - value: acm-region - helmOverrides: - - name: clusterGroup.isHubCluster - value: "false" - name: acm-edge - targetRevision: main - - acmlabels: - - name: clusterGroup - value: region - clusterDeployments: - myFirstCluster: - baseDomain: blueprints.rhecoeng.com - name: aws-cd-one-w-pool - openshiftVersion: 4.10.18 - platform: - aws: - region: ap-southeast-1 - clusterPools: - exampleAWSPool: - baseDomain: blueprints.rhecoeng.com - controlPlane: - count: 1 - platform: - aws: - type: m5.xlarge - name: aws-ap - openshiftVersion: 4.10.18 - platform: - aws: - region: ap-southeast-2 - size: 3 - workers: - count: 0 - exampleAzurePool: - baseDomain: blueprints.rhecoeng.com - clusters: - - Two - - three - name: azure-us - openshiftVersion: 4.10.18 - platform: - azure: - baseDomainResourceGroupName: dojo-dns-zones - region: eastus - helmOverrides: - - name: clusterGroup.isHubCluster - value: "false" - name: acm-provision-edge - targetRevision: main - - clusterDeployments: - mySecondCluster: - baseDomain: blueprints.rhecoeng.com - name: aws-cd-two-wo-pool - openshiftVersion: 4.10.18 - platform: - aws: - region: ap-southeast-3 - name: acm-provision-on-deploy - - helmOverrides: - - name: clusterGroup.isHubCluster - value: "false" - hostedArgoSites: - - domain: perth1.beekhof.net - name: perth - - domain: syd.beekhof.net - name: sydney - name: argo-edge - name: example - namespaces: - - open-cluster-management: - annotations: - openshift.io/cluster-monitoring: "true" - owner: namespace owner - labels: - kubernetes.io/os: linux - openshift.io/node-selector: "" - - application-ci: - operatorGroup: true - targetNamespaces: - - application-ci - - other-namespace - - exclude-targetns: - operatorGroup: true - targetNamespaces: null - - include-ci - - exclude-og - - totally-exclude-og: - operatorGroup: false - - include-default-og: - operatorGroup: true - nodes: - - m-m00.cluster.example.tld: - labels: - cluster.ocs.openshift.io/openshift-storage: "" - - m-m01.cluster.example.tld: - labels: - cluster.ocs.openshift.io/openshift-storage: "" - - m-m02.cluster.example.tld: - labels: - cluster.ocs.openshift.io/openshift-storage: "" - operatorgroupExcludes: - - exclude-og - projects: - - datacenter - scheduler: - mastersSchedulable: true - sharedValueFiles: - - /values/aws.yaml - - /values/4.12.yaml - subscriptions: - acm: - channel: release-2.4 - csv: advanced-cluster-management.v2.4.1 - name: advanced-cluster-management - namespace: open-cluster-management - odh: - csv: opendatahub-operator.v1.1.0 - disabled: true - name: opendatahub-operator - source: community-operators - pipelines: - csv: redhat-openshift-pipelines.v1.5.2 - name: openshift-pipelines-operator-rh - targetCluster: in-cluster - enabled: all - global: - clusterDomain: region.example.com - clusterPlatform: aws - clusterVersion: "4.12" - extraValueFiles: [] - git: - account: hybrid-cloud-patterns - dev_revision: main - email: someone@somewhere.com - hostname: github.com - hubClusterDomain: apps.hub.example.com - localClusterDomain: apps.region.example.com - multiClusterTarget: all - namespace: pattern-namespace - options: - applicationRetryLimit: 20 - installPlanApproval: Automatic - syncPolicy: Automatic - useCSV: false - pattern: mypattern - repoURL: https://github.com/pattern-clone/mypattern - secretStore: - backend: vault - targetRevision: main - main: - clusterGroupName: example - git: - repoURL: https://github.com/pattern-clone/mypattern - revision: main - secretStore: - kind: ClusterSecretStore - name: vault-backend ---- -# Source: clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: trusted-ca-bundle - namespace: imperative - annotations: - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: trusted-ca-bundle - namespace: mypattern-example - labels: - config.openshift.io/inject-trusted-cabundle: 'true' ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -# Source: clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-admin-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-cluster-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-admin-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-admin-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-admin-sa - namespace: imperative ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-gitops-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - name: openshift-gitops-argocd-server - namespace: openshift-gitops ---- -# Source: clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mypattern-example-cluster-admin-rolebinding - # We need to have this before anything else or the sync might get stuck forever - # due to permission issues - annotations: - argocd.argoproj.io/sync-wave: "-100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-application-controller - name: example-gitops-argocd-application-controller - namespace: mypattern-example - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-server - name: example-gitops-argocd-server - namespace: mypattern-example - # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76) - - kind: ServiceAccount - name: example-gitops-argocd-dex-server - namespace: mypattern-example ---- -# Source: clustergroup/templates/imperative/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: imperative-role - namespace: imperative -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: imperative-rolebinding - namespace: imperative -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: imperative-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: clustergroup/templates/imperative/job.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: imperative-cronjob - namespace: imperative -spec: - schedule: "*/10 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: imperative-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: test - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "234" - - ansible-playbook - - -e - - "@/values/values.yaml" - - ansible/test.yml - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/imperative/unsealjob.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: unsealvault-cronjob - namespace: imperative -spec: - schedule: "*/5 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: unsealvault-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: fetch-ca - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - >- - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true; - ls -l /tmp/ca-bundles/ - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - - name: git-init - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - volumeMounts: - - name: git - mountPath: "/git" - - name: ca-bundles - mountPath: /etc/pki/tls/certs - command: - - 'sh' - - '-c' - - >- - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then - URL="https://github.com/pattern-clone/mypattern"; - else - if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode}}' &>/dev/null; then - U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; - P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - else - S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; - mkdir -p --mode 0700 "${HOME}/.ssh"; - echo "${S}" > "${HOME}/.ssh/id_rsa"; - chmod 0600 "${HOME}/.ssh/id_rsa"; - URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); - git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - fi; - fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; - OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; - if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; - if [ "main" = "HEAD" ]; then BRANCH=""; else BRANCH="--branch main"; fi; - mkdir /git/{repo,home}; - git clone --recurse-submodules --single-branch ${BRANCH} --depth 1 -- "${URL}" /git/repo; - chmod 0770 /git/{repo,home}; - - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - -t - - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init' - - "common/ansible/playbooks/vault/vault.yaml" - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - name: ca-bundles - emptyDir: {} - restartPolicy: Never ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- ---- -# Source: clustergroup/templates/core/subscriptions.yaml ---- ---- -# Source: clustergroup/templates/plumbing/hosted-sites.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: argo-edge - namespace: openshift-gitops -spec: - description: "Cluster Group argo-edge" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/projects.yaml -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: datacenter - namespace: mypattern-example -spec: - description: "Pattern datacenter" - destinations: - - namespace: '*' - server: '*' - clusterResourceWhitelist: - - group: '*' - kind: '*' - namespaceResourceWhitelist: - - group: '*' - kind: '*' - sourceRepos: - - '*' -status: {} ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: acm - namespace: mypattern-example - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: open-cluster-management - project: datacenter - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/acm - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-example.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-example.yaml" - - "/values-4.12-example.yaml" - - "/values/aws.yaml" - - "/values/4.12.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - ignoreDifferences: [ - { - "group": "internal.open-cluster-management.io", - "jsonPointers": [ - "/spec/loggingCA" - ], - "kind": "ManagedClusterInfo" - } -] - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/applications.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: pipelines - namespace: mypattern-example - labels: - validatedpatterns.io/pattern: mypattern - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: application-ci - project: datacenter - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: charts/datacenter/pipelines - helm: - ignoreMissingValueFiles: true - values: | - extraParametersNested: - valueFiles: - - "/values-global.yaml" - - "/values-example.yaml" - - "/values-aws.yaml" - - "/values-aws-4.12.yaml" - - "/values-aws-example.yaml" - - "/values-4.12-example.yaml" - - "/values/aws.yaml" - - "/values/4.12.yaml" - - "/values/4.12/aws.yaml" - parameters: - - name: global.repoURL - value: https://github.com/pattern-clone/mypattern - - name: global.targetRevision - value: main - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.clusterDomain - value: region.example.com - - name: global.clusterVersion - value: "4.12" - - name: global.clusterPlatform - value: "aws" - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.multiSourceSupport - value: - - name: global.multiSourceRepoUrl - value: - - name: global.multiSourceTargetRevision - value: - - name: global.localClusterDomain - value: apps.region.example.com - - name: global.privateRepo - value: - - name: global.experimentalCapabilities - value: - syncPolicy: - automated: {} - retry: - limit: 20 ---- -# Source: clustergroup/templates/plumbing/hosted-sites.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: mypattern-argo-edge-perth - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - project: argo-edge - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-argo-edge.yaml" - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: apps.perth1.beekhof.net - - name: global.clusterDomain - value: perth1.beekhof.net - - name: enabled - value: core - - name: clusterGroup.name - value: argo-edge - - name: clusterGroup.targetCluster - value: perth - - name: clusterGroup.hostedSite.secretsPath - value: secret/data/hub/cluster_perth - - name: clusterGroup.isHubCluster - value: "false" - destination: - name: perth - namespace: mypattern-argo-edge - syncPolicy: - automated: - selfHeal: true - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: clustergroup/templates/plumbing/hosted-sites.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: mypattern-argo-edge-perth-plumbing - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - project: argo-edge - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-argo-edge.yaml" - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: apps.perth1.beekhof.net - - name: global.clusterDomain - value: perth1.beekhof.net - - name: enabled - value: plumbing - - name: clusterGroup.name - value: argo-edge - - name: clusterGroup.targetCluster - value: perth - - name: clusterGroup.hostedSite.secretsPath - value: secret/data/hub/cluster_perth - - name: clusterGroup.isHubCluster - value: "false" - destination: - name: in-cluster - namespace: openshift-gitops - syncPolicy: - automated: - selfHeal: true - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: clustergroup/templates/plumbing/hosted-sites.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: mypattern-argo-edge-sydney - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - project: argo-edge - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-argo-edge.yaml" - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: apps.syd.beekhof.net - - name: global.clusterDomain - value: syd.beekhof.net - - name: enabled - value: core - - name: clusterGroup.name - value: argo-edge - - name: clusterGroup.targetCluster - value: sydney - - name: clusterGroup.hostedSite.secretsPath - value: secret/data/hub/cluster_sydney - - name: clusterGroup.isHubCluster - value: "false" - destination: - name: sydney - namespace: mypattern-argo-edge - syncPolicy: - automated: - selfHeal: true - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: clustergroup/templates/plumbing/hosted-sites.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: mypattern-argo-edge-sydney-plumbing - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - project: argo-edge - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-argo-edge.yaml" - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: mypattern - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.localClusterDomain - value: apps.syd.beekhof.net - - name: global.clusterDomain - value: syd.beekhof.net - - name: enabled - value: plumbing - - name: clusterGroup.name - value: argo-edge - - name: clusterGroup.targetCluster - value: sydney - - name: clusterGroup.hostedSite.secretsPath - value: secret/data/hub/cluster_sydney - - name: clusterGroup.isHubCluster - value: "false" - destination: - name: in-cluster - namespace: openshift-gitops - syncPolicy: - automated: - selfHeal: true - ignoreDifferences: - - group: apps - kind: Deployment - jsonPointers: - - /spec/replicas - - group: route.openshift.io - kind: Route - jsonPointers: - - /status ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1beta1 -kind: ArgoCD -metadata: - finalizers: - - argoproj.io/finalizer - # Changing the name affects the ClusterRoleBinding, the generated secret, - # route URL, and argocd.argoproj.io/managed-by annotations - name: example-gitops - namespace: mypattern-example - annotations: - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: -# Adding health checks to argocd to prevent pvc resources -# that aren't bound state from blocking deployments - resourceHealthChecks: - - kind: PersistentVolumeClaim - check: | - hs = {} - if obj.status ~= nil then - if obj.status.phase ~= nil then - if obj.status.phase == "Pending" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - elseif obj.status.phase == "Bound" then - hs.status = "Healthy" - hs.message = obj.status.phase - return hs - end - end - end - hs.status = "Progressing" - hs.message = "Waiting for PVC" - return hs - - resourceTrackingMethod: label - applicationInstanceLabelKey: argocd.argoproj.io/instance - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - controller: - processors: {} - resources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: 500m - memory: 2Gi - sso: - provider: dex - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - rbac: - defaultPolicy: role:admin - repo: - initContainers: - - command: - - bash - - -c - - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt || true - image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest - name: fetch-ca - resources: {} - volumeMounts: - - mountPath: /var/run/kube-root-ca - name: kube-root-ca - - mountPath: /var/run/trusted-ca - name: trusted-ca-bundle - - mountPath: /var/run/trusted-hub - name: trusted-hub-bundle - - mountPath: /tmp/ca-bundles - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - mountPath: /etc/pki/tls/certs - name: ca-bundles - volumes: - - configMap: - name: kube-root-ca.crt - name: kube-root-ca - - configMap: - name: trusted-ca-bundle - optional: true - name: trusted-ca-bundle - - configMap: - name: trusted-hub-bundle - optional: true - name: trusted-hub-bundle - - emptyDir: {} - name: ca-bundles - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - service: - type: "" - tls: - ca: {} -status: ---- -# Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: example-gitops-link - namespace: mypattern-example -spec: - applicationMenu: - section: OpenShift GitOps - imageURL:  - href: 'https://example-gitops-server-mypattern-example.apps.region.example.com' - location: ApplicationMenu - text: 'Example ArgoCD' ---- -# Source: clustergroup/templates/core/nodes.yaml -apiVersion: v1 -kind: Node -metadata: - name: m-m00.cluster.example.tld - labels: - argocd.argoproj.io/managed-by: mypattern-example - cluster.ocs.openshift.io/openshift-storage: "" ---- -# Source: clustergroup/templates/core/nodes.yaml -apiVersion: v1 -kind: Node -metadata: - name: m-m01.cluster.example.tld - labels: - argocd.argoproj.io/managed-by: mypattern-example - cluster.ocs.openshift.io/openshift-storage: "" ---- -# Source: clustergroup/templates/core/nodes.yaml -apiVersion: v1 -kind: Node -metadata: - name: m-m02.cluster.example.tld - labels: - argocd.argoproj.io/managed-by: mypattern-example - cluster.ocs.openshift.io/openshift-storage: "" ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: application-ci-operator-group - namespace: application-ci -spec: - targetNamespaces: - - application-ci - - other-namespace ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: exclude-targetns-operator-group - namespace: exclude-targetns ---- -# Source: clustergroup/templates/core/operatorgroup.yaml ---- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: include-ci-operator-group - namespace: include-ci -spec: - targetNamespaces: - - include-ci ---- -# Source: clustergroup/templates/core/operatorgroup.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: include-default-og-operator-group - namespace: include-default-og -spec: - targetNamespaces: - - include-default-og ---- -# Source: clustergroup/templates/core/scheduler.yaml -apiVersion: config.openshift.io/v1 -kind: Scheduler -metadata: - name: cluster -spec: - mastersSchedulable: true ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: advanced-cluster-management - namespace: open-cluster-management -spec: - name: advanced-cluster-management - source: redhat-operators - sourceNamespace: openshift-marketplace - channel: release-2.4 - installPlanApproval: Automatic - startingCSV: advanced-cluster-management.v2.4.1 ---- -# Source: clustergroup/templates/core/subscriptions.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-pipelines-operator-rh - namespace: openshift-operators -spec: - name: openshift-pipelines-operator-rh - source: redhat-operators - sourceNamespace: openshift-marketplace - installPlanApproval: Automatic - startingCSV: redhat-openshift-pipelines.v1.5.2 diff --git a/common/tests/clustergroup.expected.diff b/common/tests/clustergroup.expected.diff deleted file mode 100644 index c2fba541..00000000 --- a/common/tests/clustergroup.expected.diff +++ /dev/null @@ -1,381 +0,0 @@ ---- -# Source: pattern-clustergroup/templates/imperative/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: imperative - argocd.argoproj.io/managed-by: common-example - name: imperative ---- -# Source: pattern-clustergroup/templates/plumbing/gitops-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - name: common-example - # The name here needs to be consistent with - # - acm/templates/policies/application-policies.yaml - # - clustergroup/templates/applications.yaml - # - any references to secrets and route URLs in documentation - name: common-example -spec: {} ---- -# Source: pattern-clustergroup/templates/imperative/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: imperative-sa - namespace: imperative ---- -# Source: pattern-clustergroup/templates/imperative/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: helm-values-configmap-example - namespace: imperative -data: - values.yaml: | - clusterGroup: - applications: [] - imperative: - activeDeadlineSeconds: 3600 - clusterRoleName: imperative-cluster-role - clusterRoleYaml: "" - cronJobName: imperative-cronjob - image: registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest - imagePullPolicy: Always - insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *' - jobName: imperative-job - jobs: [] - namespace: imperative - roleName: imperative-role - roleYaml: "" - schedule: '*/10 * * * *' - serviceAccountCreate: true - serviceAccountName: imperative-sa - valuesConfigMap: helm-values-configmap - verbosity: "" - isHubCluster: true - managedClusterGroups: [] - name: example - namespaces: [] - projects: [] - subscriptions: [] - targetCluster: in-cluster - enabled: all - global: - options: - installPlanApproval: Automatic - syncPolicy: Automatic - useCSV: true - pattern: common - targetRevision: main - secretStore: - kind: ClusterSecretStore - name: vault-backend ---- -# Source: pattern-clustergroup/templates/imperative/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: imperative-cluster-role -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch ---- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: imperative-cluster-admin-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: imperative-cluster-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-gitops-cluster-admin-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - name: openshift-gitops-argocd-server - namespace: openshift-gitops ---- -# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml -# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: common-example-cluster-admin-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-application-controller - name: example-gitops-argocd-application-controller - namespace: common-example - # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP - - kind: ServiceAccount - # This is the {ArgoCD.name}-argocd-server - name: example-gitops-argocd-server - namespace: common-example - # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76) - - kind: ServiceAccount - name: example-gitops-argocd-dex-server - namespace: common-example ---- -# Source: pattern-clustergroup/templates/imperative/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: imperative-role - namespace: imperative -rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# Source: pattern-clustergroup/templates/imperative/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: imperative-admin-rolebinding - namespace: imperative -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: imperative-role -subjects: - - kind: ServiceAccount - name: imperative-sa - namespace: imperative ---- -# Source: pattern-clustergroup/templates/imperative/unsealjob.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: unsealvault-cronjob - namespace: imperative -spec: - schedule: "*/5 * * * *" - # if previous Job is still running, skip execution of a new Job - concurrencyPolicy: Forbid - jobTemplate: - spec: - activeDeadlineSeconds: 3600 - template: - metadata: - name: unsealvault-job - spec: - serviceAccountName: imperative-sa - initContainers: - # git init happens in /git/repo so that we can set the folder to 0770 permissions - # reason for that is ansible refuses to create temporary folders in there - - name: git-init - image: registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - command: - - 'sh' - - '-c' - - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- /git/repo;chmod 0770 /git/{repo,home}" - volumeMounts: - - name: git - mountPath: "/git" - - name: unseal-playbook - image: registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest - imagePullPolicy: Always - env: - - name: HOME - value: /git/home - workingDir: /git/repo - # We have a default timeout of 600s for each playbook. Can be overridden - # on a per-job basis - command: - - timeout - - "600" - - ansible-playbook - - -e - - "@/values/values.yaml" - - -t - - 'vault_init,vault_unseal,vault_secrets_init' - - "common/ansible/playbooks/vault/vault.yaml" - volumeMounts: - - name: git - mountPath: "/git" - - name: values-volume - mountPath: /values/values.yaml - subPath: values.yaml - containers: - - name: "done" - image: registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest - imagePullPolicy: Always - command: - - 'sh' - - '-c' - - 'echo' - - 'done' - - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example - restartPolicy: Never ---- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - finalizers: - - argoproj.io/finalizer - # Changing the name affects the ClusterRoleBinding, the generated secret, - # route URL, and argocd.argoproj.io/managed-by annotations - name: example-gitops - namespace: common-example - annotations: - argocd.argoproj.io/compare-options: IgnoreExtraneous -spec: - applicationInstanceLabelKey: argocd.argoproj.io/instance - # Not the greatest way to pass git/quay info to sub-applications, but it will do until - # we can support helmChart with kustomize - # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION - configManagementPlugins: | - - name: kustomize-version - generate: - command: ["sh", "-c"] - args: ["kustomize version 1>&2 && exit 1"] - - name: kustomize-with-helm - generate: - command: ["kustomize"] - args: ["build", "--enable-helm"] - - name: helm-with-kustomize - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: ["/bin/bash", "-c"] - args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52} - -f $(git rev-parse --show-toplevel)/values-global.yaml - -f $(git rev-parse --show-toplevel)/values-example.yaml - --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL - --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION - --set global.namespace=$ARGOCD_APP_NAMESPACE - --set global.pattern=common - --set global.clusterDomain= - --set global.hubClusterDomain= - --set global.localClusterDomain= - --set clusterGroup.name=example - --post-renderer ./kustomize"] - applicationSet: - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - controller: - processors: {} - resources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: 500m - memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi - initialSSHKnownHosts: {} - rbac: - defaultPolicy: role:admin - repo: - resources: - limits: - cpu: "1" - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi - resourceExclusions: | - - apiGroups: - - tekton.dev - kinds: - - TaskRun - - PipelineRun - server: - autoscale: - enabled: false - grpc: - ingress: - enabled: false - ingress: - enabled: false - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 125m - memory: 128Mi - route: - enabled: true - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - service: - type: "" - tls: - ca: {} -status: ---- -# Source: pattern-clustergroup/templates/plumbing/argocd.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: example-gitops-link - namespace: common-example -spec: - applicationMenu: - section: OpenShift GitOps - imageURL:  - href: 'https://example-gitops-server-common-example.' - location: ApplicationMenu - text: 'Example ArgoCD' diff --git a/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml b/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml deleted file mode 100644 index fea780d3..00000000 --- a/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,13143 +0,0 @@ ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets - namespace: golang-external-secrets - annotations: - kubernetes.io/service-account.name: golang-external-secrets -type: kubernetes.io/service-account-token ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: acraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - acraccesstoken - kind: ACRAccessToken - listKind: ACRAccessTokenList - plural: acraccesstokens - shortNames: - - acraccesstoken - singular: acraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ACRAccessToken returns a Azure Container Registry token - that can be used for pushing/pulling images. - Note: by default it will return an ACR Refresh Token with full access - (depending on the identity). - This can be scoped down to the repository level using .spec.scope. - In case scope is defined it will return an ACR Access Token. - - - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - Configuration used to authenticate with Azure using static - credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clusterexternalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterExternalSecret - listKind: ClusterExternalSecretList - plural: clusterexternalsecrets - shortNames: - - ces - singular: clusterexternalsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: |- - The labels to select by to find the Namespaces to create the ExternalSecrets in. - Deprecated: Use NamespaceSelectors instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - items: - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - properties: - message: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clustersecretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterSecretStore - listKind: ClusterSecretStoreList - plural: clustersecretstores - shortNames: - - css - singular: clustersecretstore - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: ecrauthorizationtokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - ecrauthorizationtoken - kind: ECRAuthorizationToken - listKind: ECRAuthorizationTokenList - plural: ecrauthorizationtokens - shortNames: - - ecrauthorizationtoken - singular: ecrauthorizationtoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an - authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded - and used in a docker login command to authenticate to a registry. - For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - type: string - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Merge - - None - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v1 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - maxProperties: 1 - minProperties: 1 - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - type: object - type: array - type: - type: string - type: object - type: object - required: - - secretStoreRef - - target - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: fakes.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - fake - kind: Fake - listKind: FakeList - plural: fakes - shortNames: - - fake - singular: fake - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Fake generator is used for testing. It lets you define - a static set of credentials that is always returned. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: gcraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - gcraccesstoken - kind: GCRAccessToken - listKind: GCRAccessTokenList - plural: gcraccesstokens - shortNames: - - gcraccesstoken - singular: gcraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - GCRAccessToken generates an GCP access token - that can be used to authenticate with GCR. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: githubaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - githubaccesstoken - kind: GithubAccessToken - listKind: GithubAccessTokenList - plural: githubaccesstokens - shortNames: - - githubaccesstoken - singular: githubaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GithubAccessToken generates ghs_ accessToken - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - properties: - secretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - url: - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: passwords.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - password - kind: Password - listKind: PasswordList - plural: passwords - shortNames: - - password - singular: password - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Password generates a random password based on the - configuration parameters in spec. - You can specify the length, characterset and other attributes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - pushsecrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' - enum: - - Delete - - None - type: string - refreshInterval: - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - properties: - kind: - default: SecretStore - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - properties: - secret: - description: Select a Secret to Push. - properties: - name: - description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest. - type: string - required: - - name - type: object - required: - - secret - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: secretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: SecretStore - listKind: SecretStoreList - plural: secretstores - shortNames: - - ss - singular: secretstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: vaultdynamicsecrets.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - vaultdynamicsecret - kind: VaultDynamicSecret - listKind: VaultDynamicSecretList - plural: vaultdynamicsecrets - shortNames: - - vaultdynamicsecret - singular: vaultdynamicsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - enum: - - Data - - Auth - type: string - required: - - path - - provider - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: webhooks.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - webhook - kind: Webhook - listKind: WebhookList - plural: webhooks - shortNames: - - webhookl - singular: webhook - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Webhook connects to a third party API server to handle the secrets generation - configuration parameters in spec. - You can specify the server, the token, and additional body parameters. - See documentation for the full API specification for requests and responses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "apiextensions.k8s.io" - resources: - - "customresourcedefinitions" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "admissionregistration.k8s.io" - resources: - - "validatingwebhookconfigurations" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "endpoints" - verbs: - - "list" - - "get" - - "watch" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "secretstores" - - "clustersecretstores" - - "externalsecrets" - - "clusterexternalsecrets" - - "pushsecrets" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "externalsecrets/status" - - "externalsecrets/finalizers" - - "secretstores" - - "secretstores/status" - - "secretstores/finalizers" - - "clustersecretstores" - - "clustersecretstores/status" - - "clustersecretstores/finalizers" - - "clusterexternalsecrets" - - "clusterexternalsecrets/status" - - "clusterexternalsecrets/finalizers" - - "pushsecrets" - - "pushsecrets/status" - - "pushsecrets/finalizers" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "serviceaccounts" - - "namespaces" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "create" - - "update" - - "delete" - - "patch" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "create" - - "update" - - "delete" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-view - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "get" - - "watch" - - "list" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "watch" - - "list" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-edit - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-servicebindings - labels: - servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "get" - - "list" - - "watch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: golang-external-secrets-cert-controller -subjects: - - name: external-secrets-cert-controller - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: golang-external-secrets-controller -subjects: - - name: golang-external-secrets - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: role-tokenreview-binding - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: golang-external-secrets - namespace: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - "configmaps" - resourceNames: - - "external-secrets-controller" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "create" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: golang-external-secrets-leaderelection -subjects: - - kind: ServiceAccount - name: golang-external-secrets - namespace: default ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: 10250 - protocol: TCP - name: webhook - selector: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: external-secrets-cert-controller - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: cert-controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - certcontroller - - --crd-requeue-interval=5m - - --service-name=golang-external-secrets-webhook - - --service-namespace=default - - --secret-name=golang-external-secrets-webhook - - --secret-namespace=default - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - - --enable-partial-cache=true - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: golang-external-secrets - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: external-secrets - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - --concurrent=1 - - --metrics-addr=:8080 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - dnsPolicy: ClusterFirst ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - hostNetwork: false - serviceAccountName: external-secrets-webhook - automountServiceAccountToken: true - containers: - - name: webhook - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - webhook - - --port=10250 - - --dns-name=golang-external-secrets-webhook.default.svc - - --cert-dir=/tmp/certs - - --check-interval=5m - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 10250 - protocol: TCP - name: webhook - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 - volumeMounts: - - name: certs - mountPath: /tmp/certs - readOnly: true - volumes: - - name: certs - secret: - secretName: golang-external-secrets-webhook ---- -# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.apps.hub.example.com - path: secret - # Version of KV backend - version: v2 - - caProvider: - type: Secret - name: hub-ca - key: hub-kube-root-ca.crt - namespace: golang-external-secrets - - auth: - kubernetes: - - mountPath: region.example.com - role: region.example.com-role - - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: secretstore-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.secretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["secretstores"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-secretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - -- name: "validate.clustersecretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["clustersecretstores"] - scope: "Cluster" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-clustersecretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: externalsecret-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.externalsecret.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["externalsecrets"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-externalsecret - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - failurePolicy: Fail diff --git a/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml b/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml deleted file mode 100644 index 341ae7e2..00000000 --- a/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,13143 +0,0 @@ ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets - namespace: golang-external-secrets - annotations: - kubernetes.io/service-account.name: golang-external-secrets -type: kubernetes.io/service-account-token ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: acraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - acraccesstoken - kind: ACRAccessToken - listKind: ACRAccessTokenList - plural: acraccesstokens - shortNames: - - acraccesstoken - singular: acraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ACRAccessToken returns a Azure Container Registry token - that can be used for pushing/pulling images. - Note: by default it will return an ACR Refresh Token with full access - (depending on the identity). - This can be scoped down to the repository level using .spec.scope. - In case scope is defined it will return an ACR Access Token. - - - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - Configuration used to authenticate with Azure using static - credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clusterexternalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterExternalSecret - listKind: ClusterExternalSecretList - plural: clusterexternalsecrets - shortNames: - - ces - singular: clusterexternalsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: |- - The labels to select by to find the Namespaces to create the ExternalSecrets in. - Deprecated: Use NamespaceSelectors instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - items: - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - properties: - message: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clustersecretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterSecretStore - listKind: ClusterSecretStoreList - plural: clustersecretstores - shortNames: - - css - singular: clustersecretstore - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: ecrauthorizationtokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - ecrauthorizationtoken - kind: ECRAuthorizationToken - listKind: ECRAuthorizationTokenList - plural: ecrauthorizationtokens - shortNames: - - ecrauthorizationtoken - singular: ecrauthorizationtoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an - authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded - and used in a docker login command to authenticate to a registry. - For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - type: string - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Merge - - None - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v1 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - maxProperties: 1 - minProperties: 1 - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - type: object - type: array - type: - type: string - type: object - type: object - required: - - secretStoreRef - - target - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: fakes.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - fake - kind: Fake - listKind: FakeList - plural: fakes - shortNames: - - fake - singular: fake - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Fake generator is used for testing. It lets you define - a static set of credentials that is always returned. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: gcraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - gcraccesstoken - kind: GCRAccessToken - listKind: GCRAccessTokenList - plural: gcraccesstokens - shortNames: - - gcraccesstoken - singular: gcraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - GCRAccessToken generates an GCP access token - that can be used to authenticate with GCR. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: githubaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - githubaccesstoken - kind: GithubAccessToken - listKind: GithubAccessTokenList - plural: githubaccesstokens - shortNames: - - githubaccesstoken - singular: githubaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GithubAccessToken generates ghs_ accessToken - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - properties: - secretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - url: - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: passwords.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - password - kind: Password - listKind: PasswordList - plural: passwords - shortNames: - - password - singular: password - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Password generates a random password based on the - configuration parameters in spec. - You can specify the length, characterset and other attributes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - pushsecrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' - enum: - - Delete - - None - type: string - refreshInterval: - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - properties: - kind: - default: SecretStore - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - properties: - secret: - description: Select a Secret to Push. - properties: - name: - description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest. - type: string - required: - - name - type: object - required: - - secret - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: secretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: SecretStore - listKind: SecretStoreList - plural: secretstores - shortNames: - - ss - singular: secretstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: vaultdynamicsecrets.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - vaultdynamicsecret - kind: VaultDynamicSecret - listKind: VaultDynamicSecretList - plural: vaultdynamicsecrets - shortNames: - - vaultdynamicsecret - singular: vaultdynamicsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - enum: - - Data - - Auth - type: string - required: - - path - - provider - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: webhooks.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - webhook - kind: Webhook - listKind: WebhookList - plural: webhooks - shortNames: - - webhookl - singular: webhook - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Webhook connects to a third party API server to handle the secrets generation - configuration parameters in spec. - You can specify the server, the token, and additional body parameters. - See documentation for the full API specification for requests and responses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "apiextensions.k8s.io" - resources: - - "customresourcedefinitions" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "admissionregistration.k8s.io" - resources: - - "validatingwebhookconfigurations" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "endpoints" - verbs: - - "list" - - "get" - - "watch" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "secretstores" - - "clustersecretstores" - - "externalsecrets" - - "clusterexternalsecrets" - - "pushsecrets" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "externalsecrets/status" - - "externalsecrets/finalizers" - - "secretstores" - - "secretstores/status" - - "secretstores/finalizers" - - "clustersecretstores" - - "clustersecretstores/status" - - "clustersecretstores/finalizers" - - "clusterexternalsecrets" - - "clusterexternalsecrets/status" - - "clusterexternalsecrets/finalizers" - - "pushsecrets" - - "pushsecrets/status" - - "pushsecrets/finalizers" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "serviceaccounts" - - "namespaces" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "create" - - "update" - - "delete" - - "patch" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "create" - - "update" - - "delete" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-view - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "get" - - "watch" - - "list" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "watch" - - "list" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-edit - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-servicebindings - labels: - servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "get" - - "list" - - "watch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: golang-external-secrets-cert-controller -subjects: - - name: external-secrets-cert-controller - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: golang-external-secrets-controller -subjects: - - name: golang-external-secrets - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: role-tokenreview-binding - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: golang-external-secrets - namespace: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - "configmaps" - resourceNames: - - "external-secrets-controller" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "create" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: golang-external-secrets-leaderelection -subjects: - - kind: ServiceAccount - name: golang-external-secrets - namespace: default ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: 10250 - protocol: TCP - name: webhook - selector: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: external-secrets-cert-controller - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: cert-controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - certcontroller - - --crd-requeue-interval=5m - - --service-name=golang-external-secrets-webhook - - --service-namespace=default - - --secret-name=golang-external-secrets-webhook - - --secret-namespace=default - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - - --enable-partial-cache=true - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: golang-external-secrets - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: external-secrets - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - --concurrent=1 - - --metrics-addr=:8080 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - dnsPolicy: ClusterFirst ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - hostNetwork: false - serviceAccountName: external-secrets-webhook - automountServiceAccountToken: true - containers: - - name: webhook - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - webhook - - --port=10250 - - --dns-name=golang-external-secrets-webhook.default.svc - - --cert-dir=/tmp/certs - - --check-interval=5m - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 10250 - protocol: TCP - name: webhook - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 - volumeMounts: - - name: certs - mountPath: /tmp/certs - readOnly: true - volumes: - - name: certs - secret: - secretName: golang-external-secrets-webhook ---- -# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.apps.hub.example.com - path: secret - # Version of KV backend - version: v2 - - caProvider: - type: ConfigMap - name: kube-root-ca.crt - key: ca.crt - namespace: golang-external-secrets - - auth: - kubernetes: - - mountPath: hub - role: hub-role - - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: secretstore-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.secretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["secretstores"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-secretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - -- name: "validate.clustersecretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["clustersecretstores"] - scope: "Cluster" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-clustersecretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: externalsecret-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.externalsecret.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["externalsecrets"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-externalsecret - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - failurePolicy: Fail diff --git a/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml b/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 341ae7e2..00000000 --- a/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,13143 +0,0 @@ ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets - namespace: golang-external-secrets - annotations: - kubernetes.io/service-account.name: golang-external-secrets -type: kubernetes.io/service-account-token ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: acraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - acraccesstoken - kind: ACRAccessToken - listKind: ACRAccessTokenList - plural: acraccesstokens - shortNames: - - acraccesstoken - singular: acraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ACRAccessToken returns a Azure Container Registry token - that can be used for pushing/pulling images. - Note: by default it will return an ACR Refresh Token with full access - (depending on the identity). - This can be scoped down to the repository level using .spec.scope. - In case scope is defined it will return an ACR Access Token. - - - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - Configuration used to authenticate with Azure using static - credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clusterexternalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterExternalSecret - listKind: ClusterExternalSecretList - plural: clusterexternalsecrets - shortNames: - - ces - singular: clusterexternalsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: |- - The labels to select by to find the Namespaces to create the ExternalSecrets in. - Deprecated: Use NamespaceSelectors instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - items: - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - properties: - message: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clustersecretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterSecretStore - listKind: ClusterSecretStoreList - plural: clustersecretstores - shortNames: - - css - singular: clustersecretstore - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: ecrauthorizationtokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - ecrauthorizationtoken - kind: ECRAuthorizationToken - listKind: ECRAuthorizationTokenList - plural: ecrauthorizationtokens - shortNames: - - ecrauthorizationtoken - singular: ecrauthorizationtoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an - authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded - and used in a docker login command to authenticate to a registry. - For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - type: string - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Merge - - None - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v1 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - maxProperties: 1 - minProperties: 1 - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - type: object - type: array - type: - type: string - type: object - type: object - required: - - secretStoreRef - - target - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: fakes.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - fake - kind: Fake - listKind: FakeList - plural: fakes - shortNames: - - fake - singular: fake - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Fake generator is used for testing. It lets you define - a static set of credentials that is always returned. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: gcraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - gcraccesstoken - kind: GCRAccessToken - listKind: GCRAccessTokenList - plural: gcraccesstokens - shortNames: - - gcraccesstoken - singular: gcraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - GCRAccessToken generates an GCP access token - that can be used to authenticate with GCR. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: githubaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - githubaccesstoken - kind: GithubAccessToken - listKind: GithubAccessTokenList - plural: githubaccesstokens - shortNames: - - githubaccesstoken - singular: githubaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GithubAccessToken generates ghs_ accessToken - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - properties: - secretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - url: - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: passwords.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - password - kind: Password - listKind: PasswordList - plural: passwords - shortNames: - - password - singular: password - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Password generates a random password based on the - configuration parameters in spec. - You can specify the length, characterset and other attributes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - pushsecrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' - enum: - - Delete - - None - type: string - refreshInterval: - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - properties: - kind: - default: SecretStore - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - properties: - secret: - description: Select a Secret to Push. - properties: - name: - description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest. - type: string - required: - - name - type: object - required: - - secret - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: secretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: SecretStore - listKind: SecretStoreList - plural: secretstores - shortNames: - - ss - singular: secretstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: vaultdynamicsecrets.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - vaultdynamicsecret - kind: VaultDynamicSecret - listKind: VaultDynamicSecretList - plural: vaultdynamicsecrets - shortNames: - - vaultdynamicsecret - singular: vaultdynamicsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - enum: - - Data - - Auth - type: string - required: - - path - - provider - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: webhooks.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - webhook - kind: Webhook - listKind: WebhookList - plural: webhooks - shortNames: - - webhookl - singular: webhook - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Webhook connects to a third party API server to handle the secrets generation - configuration parameters in spec. - You can specify the server, the token, and additional body parameters. - See documentation for the full API specification for requests and responses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "apiextensions.k8s.io" - resources: - - "customresourcedefinitions" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "admissionregistration.k8s.io" - resources: - - "validatingwebhookconfigurations" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "endpoints" - verbs: - - "list" - - "get" - - "watch" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "secretstores" - - "clustersecretstores" - - "externalsecrets" - - "clusterexternalsecrets" - - "pushsecrets" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "externalsecrets/status" - - "externalsecrets/finalizers" - - "secretstores" - - "secretstores/status" - - "secretstores/finalizers" - - "clustersecretstores" - - "clustersecretstores/status" - - "clustersecretstores/finalizers" - - "clusterexternalsecrets" - - "clusterexternalsecrets/status" - - "clusterexternalsecrets/finalizers" - - "pushsecrets" - - "pushsecrets/status" - - "pushsecrets/finalizers" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "serviceaccounts" - - "namespaces" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "create" - - "update" - - "delete" - - "patch" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "create" - - "update" - - "delete" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-view - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "get" - - "watch" - - "list" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "watch" - - "list" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-edit - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-servicebindings - labels: - servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "get" - - "list" - - "watch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: golang-external-secrets-cert-controller -subjects: - - name: external-secrets-cert-controller - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: golang-external-secrets-controller -subjects: - - name: golang-external-secrets - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: role-tokenreview-binding - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: golang-external-secrets - namespace: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - "configmaps" - resourceNames: - - "external-secrets-controller" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "create" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: golang-external-secrets-leaderelection -subjects: - - kind: ServiceAccount - name: golang-external-secrets - namespace: default ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: 10250 - protocol: TCP - name: webhook - selector: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: external-secrets-cert-controller - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: cert-controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - certcontroller - - --crd-requeue-interval=5m - - --service-name=golang-external-secrets-webhook - - --service-namespace=default - - --secret-name=golang-external-secrets-webhook - - --secret-namespace=default - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - - --enable-partial-cache=true - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: golang-external-secrets - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: external-secrets - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - --concurrent=1 - - --metrics-addr=:8080 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - dnsPolicy: ClusterFirst ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - hostNetwork: false - serviceAccountName: external-secrets-webhook - automountServiceAccountToken: true - containers: - - name: webhook - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - webhook - - --port=10250 - - --dns-name=golang-external-secrets-webhook.default.svc - - --cert-dir=/tmp/certs - - --check-interval=5m - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 10250 - protocol: TCP - name: webhook - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 - volumeMounts: - - name: certs - mountPath: /tmp/certs - readOnly: true - volumes: - - name: certs - secret: - secretName: golang-external-secrets-webhook ---- -# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.apps.hub.example.com - path: secret - # Version of KV backend - version: v2 - - caProvider: - type: ConfigMap - name: kube-root-ca.crt - key: ca.crt - namespace: golang-external-secrets - - auth: - kubernetes: - - mountPath: hub - role: hub-role - - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: secretstore-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.secretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["secretstores"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-secretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - -- name: "validate.clustersecretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["clustersecretstores"] - scope: "Cluster" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-clustersecretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: externalsecret-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.externalsecret.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["externalsecrets"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-externalsecret - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - failurePolicy: Fail diff --git a/common/tests/golang-external-secrets-naked.expected.yaml b/common/tests/golang-external-secrets-naked.expected.yaml deleted file mode 100644 index 72ffed42..00000000 --- a/common/tests/golang-external-secrets-naked.expected.yaml +++ /dev/null @@ -1,13143 +0,0 @@ ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets - namespace: golang-external-secrets - annotations: - kubernetes.io/service-account.name: golang-external-secrets -type: kubernetes.io/service-account-token ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: acraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - acraccesstoken - kind: ACRAccessToken - listKind: ACRAccessTokenList - plural: acraccesstokens - shortNames: - - acraccesstoken - singular: acraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ACRAccessToken returns a Azure Container Registry token - that can be used for pushing/pulling images. - Note: by default it will return an ACR Refresh Token with full access - (depending on the identity). - This can be scoped down to the repository level using .spec.scope. - In case scope is defined it will return an ACR Access Token. - - - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - Configuration used to authenticate with Azure using static - credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clusterexternalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterExternalSecret - listKind: ClusterExternalSecretList - plural: clusterexternalsecrets - shortNames: - - ces - singular: clusterexternalsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: |- - The labels to select by to find the Namespaces to create the ExternalSecrets in. - Deprecated: Use NamespaceSelectors instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - items: - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - properties: - message: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clustersecretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterSecretStore - listKind: ClusterSecretStoreList - plural: clustersecretstores - shortNames: - - css - singular: clustersecretstore - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: ecrauthorizationtokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - ecrauthorizationtoken - kind: ECRAuthorizationToken - listKind: ECRAuthorizationTokenList - plural: ecrauthorizationtokens - shortNames: - - ecrauthorizationtoken - singular: ecrauthorizationtoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an - authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded - and used in a docker login command to authenticate to a registry. - For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - type: string - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Merge - - None - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v1 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - maxProperties: 1 - minProperties: 1 - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - type: object - type: array - type: - type: string - type: object - type: object - required: - - secretStoreRef - - target - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: fakes.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - fake - kind: Fake - listKind: FakeList - plural: fakes - shortNames: - - fake - singular: fake - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Fake generator is used for testing. It lets you define - a static set of credentials that is always returned. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: gcraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - gcraccesstoken - kind: GCRAccessToken - listKind: GCRAccessTokenList - plural: gcraccesstokens - shortNames: - - gcraccesstoken - singular: gcraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - GCRAccessToken generates an GCP access token - that can be used to authenticate with GCR. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: githubaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - githubaccesstoken - kind: GithubAccessToken - listKind: GithubAccessTokenList - plural: githubaccesstokens - shortNames: - - githubaccesstoken - singular: githubaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GithubAccessToken generates ghs_ accessToken - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - properties: - secretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - url: - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: passwords.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - password - kind: Password - listKind: PasswordList - plural: passwords - shortNames: - - password - singular: password - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Password generates a random password based on the - configuration parameters in spec. - You can specify the length, characterset and other attributes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - pushsecrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' - enum: - - Delete - - None - type: string - refreshInterval: - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - properties: - kind: - default: SecretStore - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - properties: - secret: - description: Select a Secret to Push. - properties: - name: - description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest. - type: string - required: - - name - type: object - required: - - secret - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: secretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: SecretStore - listKind: SecretStoreList - plural: secretstores - shortNames: - - ss - singular: secretstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: vaultdynamicsecrets.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - vaultdynamicsecret - kind: VaultDynamicSecret - listKind: VaultDynamicSecretList - plural: vaultdynamicsecrets - shortNames: - - vaultdynamicsecret - singular: vaultdynamicsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - enum: - - Data - - Auth - type: string - required: - - path - - provider - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: webhooks.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - webhook - kind: Webhook - listKind: WebhookList - plural: webhooks - shortNames: - - webhookl - singular: webhook - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Webhook connects to a third party API server to handle the secrets generation - configuration parameters in spec. - You can specify the server, the token, and additional body parameters. - See documentation for the full API specification for requests and responses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "apiextensions.k8s.io" - resources: - - "customresourcedefinitions" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "admissionregistration.k8s.io" - resources: - - "validatingwebhookconfigurations" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "endpoints" - verbs: - - "list" - - "get" - - "watch" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "secretstores" - - "clustersecretstores" - - "externalsecrets" - - "clusterexternalsecrets" - - "pushsecrets" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "externalsecrets/status" - - "externalsecrets/finalizers" - - "secretstores" - - "secretstores/status" - - "secretstores/finalizers" - - "clustersecretstores" - - "clustersecretstores/status" - - "clustersecretstores/finalizers" - - "clusterexternalsecrets" - - "clusterexternalsecrets/status" - - "clusterexternalsecrets/finalizers" - - "pushsecrets" - - "pushsecrets/status" - - "pushsecrets/finalizers" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "serviceaccounts" - - "namespaces" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "create" - - "update" - - "delete" - - "patch" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "create" - - "update" - - "delete" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-view - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "get" - - "watch" - - "list" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "watch" - - "list" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-edit - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-servicebindings - labels: - servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "get" - - "list" - - "watch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: golang-external-secrets-cert-controller -subjects: - - name: external-secrets-cert-controller - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: golang-external-secrets-controller -subjects: - - name: golang-external-secrets - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: role-tokenreview-binding - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: golang-external-secrets - namespace: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - "configmaps" - resourceNames: - - "external-secrets-controller" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "create" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: golang-external-secrets-leaderelection -subjects: - - kind: ServiceAccount - name: golang-external-secrets - namespace: default ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: 10250 - protocol: TCP - name: webhook - selector: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: external-secrets-cert-controller - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: cert-controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - certcontroller - - --crd-requeue-interval=5m - - --service-name=golang-external-secrets-webhook - - --service-namespace=default - - --secret-name=golang-external-secrets-webhook - - --secret-namespace=default - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - - --enable-partial-cache=true - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: golang-external-secrets - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: external-secrets - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - --concurrent=1 - - --metrics-addr=:8080 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - dnsPolicy: ClusterFirst ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - hostNetwork: false - serviceAccountName: external-secrets-webhook - automountServiceAccountToken: true - containers: - - name: webhook - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - webhook - - --port=10250 - - --dns-name=golang-external-secrets-webhook.default.svc - - --cert-dir=/tmp/certs - - --check-interval=5m - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 10250 - protocol: TCP - name: webhook - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 - volumeMounts: - - name: certs - mountPath: /tmp/certs - readOnly: true - volumes: - - name: certs - secret: - secretName: golang-external-secrets-webhook ---- -# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.hub.example.com - path: secret - # Version of KV backend - version: v2 - - caProvider: - type: ConfigMap - name: kube-root-ca.crt - key: ca.crt - namespace: golang-external-secrets - - auth: - kubernetes: - - mountPath: hub - role: hub-role - - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: secretstore-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.secretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["secretstores"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-secretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - -- name: "validate.clustersecretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["clustersecretstores"] - scope: "Cluster" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-clustersecretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: externalsecret-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.externalsecret.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["externalsecrets"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-externalsecret - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - failurePolicy: Fail diff --git a/common/tests/golang-external-secrets-normal.expected.yaml b/common/tests/golang-external-secrets-normal.expected.yaml deleted file mode 100644 index 341ae7e2..00000000 --- a/common/tests/golang-external-secrets-normal.expected.yaml +++ /dev/null @@ -1,13143 +0,0 @@ ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: v1 -kind: Secret -metadata: - name: golang-external-secrets - namespace: golang-external-secrets - annotations: - kubernetes.io/service-account.name: golang-external-secrets -type: kubernetes.io/service-account-token ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: acraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - acraccesstoken - kind: ACRAccessToken - listKind: ACRAccessTokenList - plural: acraccesstokens - shortNames: - - acraccesstoken - singular: acraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ACRAccessToken returns a Azure Container Registry token - that can be used for pushing/pulling images. - Note: by default it will return an ACR Refresh Token with full access - (depending on the identity). - This can be scoped down to the repository level using .spec.scope. - In case scope is defined it will return an ACR Access Token. - - - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - ACRAccessTokenSpec defines how to generate the access token - e.g. how to authenticate and which registry to use. - see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview - properties: - auth: - properties: - managedIdentity: - description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure. - properties: - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - type: object - servicePrincipal: - description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. - properties: - secretRef: - description: |- - Configuration used to authenticate with Azure using static - credentials stored in a Kind=Secret. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - workloadIdentity: - description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. - properties: - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - type: object - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - registry: - description: |- - the domain name of the ACR registry - e.g. foobarexample.azurecr.io - type: string - scope: - description: |- - Define the scope for the access token, e.g. pull/push access for a repository. - if not provided it will return a refresh token that has full scope. - Note: you need to pin it down to the repository level, there is no wildcard available. - - - examples: - repository:my-repository:pull,push - repository:my-repository:pull - - - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ - type: string - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - required: - - auth - - registry - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clusterexternalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterExternalSecret - listKind: ClusterExternalSecretList - plural: clusterexternalsecrets - shortNames: - - ces - singular: clusterexternalsecret - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.externalSecretSpec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshTime - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. - properties: - externalSecretMetadata: - description: The metadata of the external secrets to be created - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - externalSecretName: - description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret - type: string - externalSecretSpec: - description: The spec for the ExternalSecrets to be created - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - namespaceSelector: - description: |- - The labels to select by to find the Namespaces to create the ExternalSecrets in. - Deprecated: Use NamespaceSelectors instead. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelectors: - description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. - items: - type: string - type: array - refreshTime: - description: The time in which the controller should reconcile its objects and recheck namespaces for labels. - type: string - required: - - externalSecretSpec - type: object - status: - description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. - properties: - conditions: - items: - properties: - message: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - externalSecretName: - description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret - type: string - failedNamespaces: - description: Failed namespaces are the namespaces that failed to apply an ExternalSecret - items: - description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. - properties: - namespace: - description: Namespace is the namespace that failed when trying to apply an ExternalSecret - type: string - reason: - description: Reason is why the ExternalSecret failed to apply to the namespace - type: string - required: - - namespace - type: object - type: array - provisionedNamespaces: - description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets - items: - type: string - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: clustersecretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ClusterSecretStore - listKind: ClusterSecretStoreList - plural: clustersecretstores - shortNames: - - css - singular: clustersecretstore - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: ecrauthorizationtokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - ecrauthorizationtoken - kind: ECRAuthorizationToken - listKind: ECRAuthorizationTokenList - plural: ecrauthorizationtokens - shortNames: - - ecrauthorizationtoken - singular: ecrauthorizationtoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an - authorization token. - The authorization token is valid for 12 hours. - The authorizationToken returned is a base64 encoded string that can be decoded - and used in a docker login command to authenticate to a registry. - For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines how to authenticate with AWS - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: Region specifies the region to operate in. - type: string - role: - description: |- - You can assume a role before making calls to the - desired AWS service. - type: string - required: - - region - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: externalsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: ExternalSecret - listKind: ExternalSecretList - plural: externalsecrets - shortNames: - - es - singular: externalsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - type: string - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - description: ExternalSecretDataRemoteRef defines Provider data location. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Merge - - None - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v1 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - maxProperties: 1 - minProperties: 1 - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - type: object - type: array - type: - type: string - type: object - type: object - required: - - secretStoreRef - - target - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.secretStoreRef.name - name: Store - type: string - - jsonPath: .spec.refreshInterval - name: Refresh Interval - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ExternalSecret is the Schema for the external-secrets API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalSecretSpec defines the desired state of ExternalSecret. - properties: - data: - description: Data defines the connection between the Kubernetes Secret keys and the Provider data - items: - description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. - properties: - remoteRef: - description: |- - RemoteRef points to the remote secret and defines - which secret (version/property/..) to fetch. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - secretKey: - description: |- - SecretKey defines the key in which the controller stores - the value. This is the key in the Kind=Secret - type: string - sourceRef: - description: |- - SourceRef allows you to override the source - from which the value will pulled from. - maxProperties: 1 - properties: - generatorRef: - description: |- - GeneratorRef points to a generator custom resource. - - - Deprecated: The generatorRef is not implemented in .data[]. - this will be removed with v1. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - required: - - remoteRef - - secretKey - type: object - type: array - dataFrom: - description: |- - DataFrom is used to fetch all properties from a specific Provider data - If multiple entries are specified, the Secret keys are merged in the specified order - items: - properties: - extract: - description: |- - Used to extract multiple key/value pairs from one secret - Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - key: - description: Key is the key used in the Provider, mandatory - type: string - metadataPolicy: - default: None - description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None - enum: - - None - - Fetch - type: string - property: - description: Used to select a specific property of the Provider value (if a map), if supported - type: string - version: - description: Used to select a specific version of the Provider value, if supported - type: string - required: - - key - type: object - find: - description: |- - Used to find secrets based on tags or regular expressions - Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. - properties: - conversionStrategy: - default: Default - description: Used to define a conversion Strategy - enum: - - Default - - Unicode - type: string - decodingStrategy: - default: None - description: Used to define a decoding Strategy - enum: - - Auto - - Base64 - - Base64URL - - None - type: string - name: - description: Finds secrets based on the name. - properties: - regexp: - description: Finds secrets base - type: string - type: object - path: - description: A root path to start the find operations. - type: string - tags: - additionalProperties: - type: string - description: Find secrets based on tags. - type: object - type: object - rewrite: - description: |- - Used to rewrite secret Keys after getting them from the secret Provider - Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) - items: - properties: - regexp: - description: |- - Used to rewrite with regular expressions. - The resulting key will be the output of a regexp.ReplaceAll operation. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: |- - Used to apply string transformation on the secrets. - The resulting key will be the output of the template applied by the operation. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - type: array - sourceRef: - description: |- - SourceRef points to a store or generator - which contains secret values ready to use. - Use this in combination with Extract or Find pull values out of - a specific SecretStore. - When sourceRef points to a generator Extract or Find is not supported. - The generator returns a static map of values - maxProperties: 1 - properties: - generatorRef: - description: GeneratorRef points to a generator custom resource. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. - type: string - name: - description: Specify the name of the generator resource - type: string - required: - - kind - - name - type: object - storeRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - type: object - type: object - type: array - refreshInterval: - default: 1h - description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider - Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - May be set to zero to fetch and create it once. Defaults to 1h. - type: string - secretStoreRef: - description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. - properties: - kind: - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - name: - description: Name of the SecretStore resource - type: string - required: - - name - type: object - target: - default: - creationPolicy: Owner - deletionPolicy: Retain - description: |- - ExternalSecretTarget defines the Kubernetes Secret to be created - There can be only one target per ExternalSecret. - properties: - creationPolicy: - default: Owner - description: |- - CreationPolicy defines rules on how to create the resulting Secret - Defaults to 'Owner' - enum: - - Owner - - Orphan - - Merge - - None - type: string - deletionPolicy: - default: Retain - description: |- - DeletionPolicy defines rules on how to delete the resulting Secret - Defaults to 'Retain' - enum: - - Delete - - Merge - - Retain - type: string - immutable: - description: Immutable defines if the final secret will be immutable - type: boolean - name: - description: |- - Name defines the name of the Secret resource to be managed - This field is immutable - Defaults to the .metadata.name of the ExternalSecret resource - type: string - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - type: object - type: object - status: - properties: - binding: - description: Binding represents a servicebinding.io Provisioned Service reference to the secret - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. - type: string - type: object - x-kubernetes-map-type: atomic - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: fakes.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - fake - kind: Fake - listKind: FakeList - plural: fakes - shortNames: - - fake - singular: fake - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Fake generator is used for testing. It lets you define - a static set of credentials that is always returned. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FakeSpec contains the static data. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - data: - additionalProperties: - type: string - description: |- - Data defines the static data returned - by this generator. - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: gcraccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - gcraccesstoken - kind: GCRAccessToken - listKind: GCRAccessTokenList - plural: gcraccesstokens - shortNames: - - gcraccesstoken - singular: gcraccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - GCRAccessToken generates an GCP access token - that can be used to authenticate with GCR. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - auth: - description: Auth defines the means for authenticating with GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID defines which project to use to authenticate with - type: string - required: - - auth - - projectID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: githubaccesstokens.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - githubaccesstoken - kind: GithubAccessToken - listKind: GithubAccessTokenList - plural: githubaccesstokens - shortNames: - - githubaccesstoken - singular: githubaccesstoken - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GithubAccessToken generates ghs_ accessToken - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - appID: - type: string - auth: - description: Auth configures how ESO authenticates with a Github instance. - properties: - privateKey: - properties: - secretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - secretRef - type: object - required: - - privateKey - type: object - installID: - type: string - url: - description: URL configures the Github instance URL. Defaults to https://github.com/. - type: string - required: - - appID - - auth - - installID - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: passwords.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - password - kind: Password - listKind: PasswordList - plural: passwords - shortNames: - - password - singular: password - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Password generates a random password based on the - configuration parameters in spec. - You can specify the length, characterset and other attributes. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PasswordSpec controls the behavior of the password generator. - properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: |- - Digits specifies the number of digits in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: |- - Length of the password to be generated. - Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: |- - SymbolCharacters specifies the special characters that should be used - in the generated password. - type: string - symbols: - description: |- - Symbols specifies the number of symbol characters in the generated - password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat - - length - - noUpper - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - pushsecrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - deletionPolicy: - default: None - description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' - enum: - - Delete - - None - type: string - refreshInterval: - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - properties: - kind: - default: SecretStore - description: |- - Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - Defaults to `SecretStore` - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - properties: - secret: - description: Select a Secret to Push. - properties: - name: - description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest. - type: string - required: - - name - type: object - required: - - secret - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v1 - - v2 - type: string - mergePolicy: - default: Replace - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - properties: - items: - items: - properties: - key: - type: string - templateAs: - default: Values - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - type: string - required: - - items - - name - type: object - target: - default: Data - enum: - - Data - - Annotations - - Labels - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: secretstores.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - externalsecrets - kind: SecretStore - listKind: SecretStoreList - plural: secretstores - shortNames: - - ss - singular: secretstore - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - deprecated: true - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the SecretManager provider will assume - type: string - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. - properties: - clientId: - description: The Azure clientId of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - properties: - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - serviceAccount: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - required: - - auth - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, instance principal is used. Optionally, the authenticating principal type - and/or user data may be supplied for the use of workload identity and user principal. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - roleId - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.capabilities - name: Capabilities - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SecretStoreSpec defines the desired state of SecretStore. - properties: - conditions: - description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore - items: - description: |- - ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in - for a ClusterSecretStore instance. - properties: - namespaceRegexes: - description: Choose namespaces by using regex matching - items: - type: string - type: array - namespaceSelector: - description: Choose namespace using a labelSelector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: Choose namespaces by name - items: - type: string - type: array - type: object - type: array - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters ES based on this property - type: string - provider: - description: Used to configure the provider. Only one provider may be set - maxProperties: 1 - minProperties: 1 - properties: - akeyless: - description: Akeyless configures this store to sync secrets using Akeyless Vault provider - properties: - akeylessGWApiURL: - description: Akeyless GW API Url from which the secrets to be fetched from. - type: string - authSecretRef: - description: Auth configures how the operator authenticates with Akeyless. - properties: - kubernetesAuth: - description: |- - Kubernetes authenticates with Akeyless by passing the ServiceAccount - token stored in the named Secret resource. - properties: - accessID: - description: the Akeyless Kubernetes auth-method access-id - type: string - k8sConfName: - description: Kubernetes-auth configuration name in Akeyless-Gateway - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Akeyless. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Akeyless. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - accessID - - k8sConfName - type: object - secretRef: - description: |- - Reference to a Secret that contains the details - to authenticate with Akeyless. - properties: - accessID: - description: The SecretAccessID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessType: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessTypeParam: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - caBundle: - description: |- - PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used - if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Akeyless Gateway certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - required: - - akeylessGWApiURL - - authSecretRef - type: object - alibaba: - description: Alibaba configures this store to sync secrets using Alibaba Cloud provider - properties: - auth: - description: AlibabaAuth contains a secretRef for credentials. - properties: - rrsa: - description: Authenticate against Alibaba using RRSA. - properties: - oidcProviderArn: - type: string - oidcTokenFilePath: - type: string - roleArn: - type: string - sessionName: - type: string - required: - - oidcProviderArn - - oidcTokenFilePath - - roleArn - - sessionName - type: object - secretRef: - description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - accessKeySecretSecretRef: - description: The AccessKeySecret is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - accessKeyIDSecretRef - - accessKeySecretSecretRef - type: object - type: object - regionID: - description: Alibaba Region to be used for the provider - type: string - required: - - auth - - regionID - type: object - aws: - description: AWS configures this store to sync secrets using AWS Secret Manager provider - properties: - additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role - items: - type: string - type: array - auth: - description: |- - Auth defines the information necessary to authenticate against AWS - if not set aws sdk will infer credentials from your environment - see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - jwt: - description: Authenticate against AWS using service account tokens. - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - secretRef: - description: |- - AWSAuthSecretRef holds secret references for AWS credentials - both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - externalID: - description: AWS External ID set on assumed IAM roles - type: string - prefix: - description: Prefix adds a prefix to all retrieved values. - type: string - region: - description: AWS Region to be used for the provider - type: string - role: - description: Role is a Role ARN which the provider will assume - type: string - secretsManager: - description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager - properties: - forceDeleteWithoutRecovery: - description: |- - Specifies whether to delete the secret without any recovery window. You - can't use both this parameter and RecoveryWindowInDays in the same call. - If you don't use either, then by default Secrets Manager uses a 30 day - recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery - type: boolean - recoveryWindowInDays: - description: |- - The number of days from 7 to 30 that Secrets Manager waits before - permanently deleting the secret. You can't use both this parameter and - ForceDeleteWithoutRecovery in the same call. If you don't use either, - then by default Secrets Manager uses a 30 day recovery window. - see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays - format: int64 - type: integer - type: object - service: - description: Service defines which service should be used to fetch the secrets - enum: - - SecretsManager - - ParameterStore - type: string - sessionTags: - description: AWS STS assume role session tags - items: - properties: - key: - type: string - value: - type: string - required: - - key - - value - type: object - type: array - transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider - items: - type: string - type: array - required: - - region - - service - type: object - azurekv: - description: AzureKV configures this store to sync secrets using Azure Key Vault provider - properties: - authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - properties: - clientCertificate: - description: The Azure ClientCertificate of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientId: - description: The Azure clientId of the service principle or managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: The Azure ClientSecret of the service principle used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - tenantId: - description: The Azure tenantId of the managed identity used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - authType: - default: ServicePrincipal - description: |- - Auth type defines how to authenticate to the keyvault service. - Valid values are: - - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) - enum: - - ServicePrincipal - - ManagedIdentity - - WorkloadIdentity - type: string - environmentType: - default: PublicCloud - description: |- - EnvironmentType specifies the Azure cloud environment endpoints to use for - connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. - The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 - PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud - enum: - - PublicCloud - - USGovernmentCloud - - ChinaCloud - - GermanCloud - type: string - identityId: - description: If multiple Managed Identity is assigned to the pod, you can select the one to be used - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. - type: string - vaultUrl: - description: Vault Url from which the secrets to be fetched from. - type: string - required: - - vaultUrl - type: object - bitwardensecretsmanager: - description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider - properties: - apiURL: - type: string - auth: - description: |- - Auth configures how secret-manager authenticates with a bitwarden machine account instance. - Make sure that the token being used has permissions on the given secret. - properties: - secretRef: - description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. - properties: - credentials: - description: AccessToken used for the bitwarden instance. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - credentials - type: object - required: - - secretRef - type: object - bitwardenServerSDKURL: - type: string - caBundle: - description: |- - Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack - can be performed. - type: string - identityURL: - type: string - organizationID: - description: OrganizationID determines which organization this secret store manages. - type: string - projectID: - description: ProjectID determines which project this secret store manages. - type: string - required: - - auth - - caBundle - - organizationID - - projectID - type: object - chef: - description: Chef configures this store to sync secrets with chef server - properties: - auth: - description: Auth defines the information necessary to authenticate against chef Server - properties: - secretRef: - description: ChefAuthSecretRef holds secret references for chef server login credentials. - properties: - privateKeySecretRef: - description: SecretKey is the Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - privateKeySecretRef - type: object - required: - - secretRef - type: object - serverUrl: - description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" - type: string - username: - description: UserName should be the user ID on the chef server - type: string - required: - - auth - - serverUrl - - username - type: object - conjur: - description: Conjur configures this store to sync secrets using conjur provider - properties: - auth: - properties: - apikey: - properties: - account: - type: string - apiKeyRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - account - - apiKeyRef - - userRef - type: object - jwt: - properties: - account: - type: string - hostId: - description: |- - Optional HostID for JWT authentication. This may be used depending - on how the Conjur JWT authenticator policy is configured. - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Conjur using the JWT authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional ServiceAccountRef specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - serviceID: - description: The conjur authn jwt webservice id - type: string - required: - - account - - serviceID - type: object - type: object - caBundle: - type: string - caProvider: - description: |- - Used to provide custom certificate authority (CA) certificates - for a secret store. The CAProvider points to a Secret or ConfigMap resource - that contains a PEM-encoded certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - type: string - required: - - auth - - url - type: object - delinea: - description: |- - Delinea DevOps Secrets Vault - https://docs.delinea.com/online-help/products/devops-secrets-vault/current - properties: - clientId: - description: ClientID is the non-secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - clientSecret: - description: ClientSecret is the secret part of the credential. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - tenant: - description: Tenant is the chosen hostname / site name. - type: string - tld: - description: |- - TLD is based on the server location that was chosen during provisioning. - If unset, defaults to "com". - type: string - urlTemplate: - description: |- - URLTemplate - If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". - type: string - required: - - clientId - - clientSecret - - tenant - type: object - device42: - description: Device42 configures this store to sync secrets using the Device42 provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Device42 instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - host: - description: URL configures the Device42 instance URL. - type: string - required: - - auth - - host - type: object - doppler: - description: Doppler configures this store to sync secrets using the Doppler provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Doppler API - properties: - secretRef: - properties: - dopplerToken: - description: |- - The DopplerToken is used for authentication. - See https://docs.doppler.com/reference/api#authentication for auth token types. - The Key attribute defaults to dopplerToken if not specified. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - dopplerToken - type: object - required: - - secretRef - type: object - config: - description: Doppler config (required if not using a Service Token) - type: string - format: - description: Format enables the downloading of secrets as a file (string) - enum: - - json - - dotnet-json - - env - - yaml - - docker - type: string - nameTransformer: - description: Environment variable compatible name transforms that change secret names to a different format - enum: - - upper-camel - - camel - - lower-snake - - tf-var - - dotnet-env - - lower-kebab - type: string - project: - description: Doppler project (required if not using a Service Token) - type: string - required: - - auth - type: object - fake: - description: Fake configures a store with static key/value pairs - properties: - data: - items: - properties: - key: - type: string - value: - type: string - valueMap: - additionalProperties: - type: string - description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' - type: object - version: - type: string - required: - - key - type: object - type: array - required: - - data - type: object - fortanix: - description: Fortanix configures this store to sync secrets using the Fortanix provider - properties: - apiKey: - description: APIKey is the API token to access SDKMS Applications. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the SDKMS API Key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. - type: string - type: object - gcpsm: - description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider - properties: - auth: - description: Auth defines the information necessary to authenticate against GCP - properties: - secretRef: - properties: - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - workloadIdentity: - properties: - clusterLocation: - type: string - clusterName: - type: string - clusterProjectID: - type: string - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - clusterLocation - - clusterName - - serviceAccountRef - type: object - type: object - location: - description: Location optionally defines a location for a secret - type: string - projectID: - description: ProjectID project where secret is located - type: string - type: object - gitlab: - description: GitLab configures this store to sync secrets using GitLab Variables provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a GitLab instance. - properties: - SecretRef: - properties: - accessToken: - description: AccessToken is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - SecretRef - type: object - environment: - description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) - type: string - groupIDs: - description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. - items: - type: string - type: array - inheritFromGroups: - description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. - type: boolean - projectID: - description: ProjectID specifies a project where secrets are located. - type: string - url: - description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/. - type: string - required: - - auth - type: object - ibm: - description: IBM configures this store to sync secrets using IBM Cloud provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the IBM secrets manager. - maxProperties: 1 - minProperties: 1 - properties: - containerAuth: - description: IBM Container-based auth with IAM Trusted Profile. - properties: - iamEndpoint: - type: string - profile: - description: the IBM Trusted Profile - type: string - tokenLocation: - description: Location the token is mounted on the pod - type: string - required: - - profile - type: object - secretRef: - properties: - secretApiKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - serviceUrl: - description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance - type: string - required: - - auth - type: object - infisical: - description: Infisical configures this store to sync secrets using the Infisical provider - properties: - auth: - description: Auth configures how the Operator authenticates with the Infisical API - properties: - universalAuthCredentials: - properties: - clientId: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientSecret: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecret - type: object - type: object - hostAPI: - default: https://app.infisical.com/api - type: string - secretsScope: - properties: - environmentSlug: - type: string - projectSlug: - type: string - secretsPath: - default: / - type: string - required: - - environmentSlug - - projectSlug - type: object - required: - - auth - - secretsScope - type: object - keepersecurity: - description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider - properties: - authRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - folderID: - type: string - required: - - authRef - - folderID - type: object - kubernetes: - description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider - properties: - auth: - description: Auth configures how secret-manager authenticates with a Kubernetes instance. - maxProperties: 1 - minProperties: 1 - properties: - cert: - description: has both clientCert and clientKey as secretKeySelector - properties: - clientCert: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - clientKey: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - serviceAccount: - description: points to a service account that should be used for authentication - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - token: - description: use static token to authenticate with - properties: - bearerToken: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - type: object - authRef: - description: A reference to a secret that contains the auth information. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - remoteNamespace: - default: default - description: Remote namespace to fetch the secrets from - type: string - server: - description: configures the Kubernetes server Address. - properties: - caBundle: - description: CABundle is a base64-encoded CA certificate - format: byte - type: string - caProvider: - description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider' - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - url: - default: kubernetes.default - description: configures the Kubernetes server Address. - type: string - type: object - type: object - onboardbase: - description: Onboardbase configures this store to sync secrets using the Onboardbase provider - properties: - apiHost: - default: https://public.onboardbase.com/api/v1/ - description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ - type: string - auth: - description: Auth configures how the Operator authenticates with the Onboardbase API - properties: - apiKeyRef: - description: |- - OnboardbaseAPIKey is the APIKey generated by an admin account. - It is used to recognize and authorize access to a project and environment within onboardbase - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - passcodeRef: - description: OnboardbasePasscode is the passcode attached to the API Key - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - apiKeyRef - - passcodeRef - type: object - environment: - default: development - description: Environment is the name of an environmnent within a project to pull the secrets from - type: string - project: - default: development - description: Project is an onboardbase project that the secrets should be pulled from - type: string - required: - - apiHost - - auth - - environment - - project - type: object - onepassword: - description: OnePassword configures this store to sync secrets using the 1Password Cloud provider - properties: - auth: - description: Auth defines the information necessary to authenticate against OnePassword Connect Server - properties: - secretRef: - description: OnePasswordAuthSecretRef holds secret references for 1Password credentials. - properties: - connectTokenSecretRef: - description: The ConnectToken is used for authentication to a 1Password Connect Server. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - connectTokenSecretRef - type: object - required: - - secretRef - type: object - connectHost: - description: ConnectHost defines the OnePassword Connect Server to connect to - type: string - vaults: - additionalProperties: - type: integer - description: Vaults defines which OnePassword vaults to search in which order - type: object - required: - - auth - - connectHost - - vaults - type: object - oracle: - description: Oracle configures this store to sync secrets using Oracle Vault provider - properties: - auth: - description: |- - Auth configures how secret-manager authenticates with the Oracle Vault. - If empty, use the instance principal, otherwise the user credentials specified in Auth. - properties: - secretRef: - description: SecretRef to pass through sensitive information. - properties: - fingerprint: - description: Fingerprint is the fingerprint of the API private key. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privatekey: - description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - fingerprint - - privatekey - type: object - tenancy: - description: Tenancy is the tenancy OCID where user is located. - type: string - user: - description: User is an access OCID specific to the account. - type: string - required: - - secretRef - - tenancy - - user - type: object - compartment: - description: |- - Compartment is the vault compartment OCID. - Required for PushSecret - type: string - encryptionKey: - description: |- - EncryptionKey is the OCID of the encryption key within the vault. - Required for PushSecret - type: string - principalType: - description: |- - The type of principal to use for authentication. If left blank, the Auth struct will - determine the principal type. This optional field must be specified if using - workload identity. - enum: - - "" - - UserPrincipal - - InstancePrincipal - - Workload - type: string - region: - description: Region is the region where vault is located. - type: string - serviceAccountRef: - description: |- - ServiceAccountRef specified the service account - that should be used when authenticating with WorkloadIdentity. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - vault: - description: Vault is the vault's OCID of the specific vault where secret is located. - type: string - required: - - region - - vault - type: object - passbolt: - properties: - auth: - description: Auth defines the information necessary to authenticate against Passbolt Server - properties: - passwordSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - privateKeySecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - passwordSecretRef - - privateKeySecretRef - type: object - host: - description: Host defines the Passbolt Server to connect to - type: string - required: - - auth - - host - type: object - passworddepot: - description: Configures a store to sync secrets with a Password Depot instance. - properties: - auth: - description: Auth configures how secret-manager authenticates with a Password Depot instance. - properties: - secretRef: - properties: - credentials: - description: Username / Password is used for authentication. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - secretRef - type: object - database: - description: Database to use as source - type: string - host: - description: URL configures the Password Depot instance URL. - type: string - required: - - auth - - database - - host - type: object - pulumi: - description: Pulumi configures this store to sync secrets using the Pulumi provider - properties: - accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. - properties: - secretRef: - description: SecretRef is a reference to a secret containing the Pulumi API token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - apiUrl: - default: https://api.pulumi.com/api/preview - description: APIURL is the URL of the Pulumi API. - type: string - environment: - description: |- - Environment are YAML documents composed of static key-value pairs, programmatic expressions, - dynamically retrieved values from supported providers including all major clouds, - and other Pulumi ESC environments. - To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. - type: string - organization: - description: |- - Organization are a space to collaborate on shared projects and stacks. - To create a new organization, visit https://app.pulumi.com/ and click "New Organization". - type: string - required: - - accessToken - - environment - - organization - type: object - scaleway: - description: Scaleway - properties: - accessKey: - description: AccessKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - apiUrl: - description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com - type: string - projectId: - description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings' - type: string - region: - description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone' - type: string - secretKey: - description: SecretKey is the non-secret part of the api key. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - accessKey - - projectId - - region - - secretKey - type: object - secretserver: - description: |- - SecretServer configures this store to sync secrets using SecretServer provider - https://docs.delinea.com/online-help/secret-server/start.htm - properties: - password: - description: Password is the secret server account password. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - serverURL: - description: |- - ServerURL - URL to your secret server installation - type: string - username: - description: Username is the secret server account username. - properties: - secretRef: - description: SecretRef references a key in a secret that will be used as value. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - value: - description: Value can be specified directly to set a value without using a secret. - type: string - type: object - required: - - password - - serverURL - - username - type: object - senhasegura: - description: Senhasegura configures this store to sync secrets using senhasegura provider - properties: - auth: - description: Auth defines parameters to authenticate in senhasegura - properties: - clientId: - type: string - clientSecretSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - clientId - - clientSecretSecretRef - type: object - ignoreSslCertificate: - default: false - description: IgnoreSslCertificate defines if SSL certificate must be ignored - type: boolean - module: - description: Module defines which senhasegura module should be used to get secrets - type: string - url: - description: URL of senhasegura - type: string - required: - - auth - - module - - url - type: object - vault: - description: Vault configures this store to sync secrets using Hashi provider - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - webhook: - description: Webhook configures this store to sync secrets using a generic templated webhook - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - yandexcertificatemanager: - description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Certificate Manager - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - yandexlockbox: - description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider - properties: - apiEndpoint: - description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') - type: string - auth: - description: Auth defines the information necessary to authenticate against Yandex Lockbox - properties: - authorizedKeySecretRef: - description: The authorized key used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - caProvider: - description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. - properties: - certSecretRef: - description: |- - A reference to a specific 'key' within a Secret resource, - In some instances, `key` is a required field. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - required: - - auth - type: object - type: object - refreshInterval: - description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. - type: integer - retrySettings: - description: Used to configure http retries if failed - properties: - maxRetries: - format: int32 - type: integer - retryInterval: - type: string - type: object - required: - - provider - type: object - status: - description: SecretStoreStatus defines the observed state of the SecretStore. - properties: - capabilities: - description: SecretStoreCapabilities defines the possible operations a SecretStore can do. - type: string - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: vaultdynamicsecrets.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - vaultdynamicsecret - kind: VaultDynamicSecret - listKind: VaultDynamicSecretList - plural: vaultdynamicsecrets - shortNames: - - vaultdynamicsecret - singular: vaultdynamicsecret - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - controller: - description: |- - Used to select the correct ESO controller (think: ingress.ingressClassName) - The ESO controller is instantiated with a specific controller name and filters VDS based on this property - type: string - method: - description: Vault API method to use (GET/POST/other) - type: string - parameters: - description: Parameters to pass to Vault write (for non-GET methods) - x-kubernetes-preserve-unknown-fields: true - path: - description: Vault path to obtain the dynamic secret from - type: string - provider: - description: Vault provider common spec - properties: - auth: - description: Auth configures how secret-manager authenticates with the Vault server. - properties: - appRole: - description: |- - AppRole authenticates with Vault using the App Role auth mechanism, - with the role and secret stored in a Kubernetes Secret resource. - properties: - path: - default: approle - description: |- - Path where the App Role authentication backend is mounted - in Vault, e.g: "approle" - type: string - roleId: - description: |- - RoleID configured in the App Role authentication backend when setting - up the authentication backend in Vault. - type: string - roleRef: - description: |- - Reference to a key in a Secret that contains the App Role ID used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role id. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - Reference to a key in a Secret that contains the App Role secret used - to authenticate with Vault. - The `key` field must be specified and denotes which entry within the Secret - resource is used as the app role secret. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - - secretRef - type: object - cert: - description: |- - Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate - Cert authentication method - properties: - clientCert: - description: |- - ClientCert is a certificate to authenticate using the Cert Vault - authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretRef: - description: |- - SecretRef to a key in a Secret resource containing client private key to - authenticate with Vault using the Cert authentication method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - iam: - description: |- - Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials - AWS IAM authentication method - properties: - externalID: - description: AWS External ID set on assumed IAM roles - type: string - jwt: - description: Specify a service account with IRSA enabled - properties: - serviceAccountRef: - description: A reference to a ServiceAccount resource. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - type: object - path: - description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' - type: string - region: - description: AWS region - type: string - role: - description: This is the AWS role to be assumed before talking to vault - type: string - secretRef: - description: Specify credentials in a Secret object - properties: - accessKeyIDSecretRef: - description: The AccessKeyID is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - sessionTokenSecretRef: - description: |- - The SessionToken used for authentication - This must be defined if AccessKeyID and SecretAccessKey are temporary credentials - see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - vaultAwsIamServerID: - description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' - type: string - vaultRole: - description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine - type: string - required: - - vaultRole - type: object - jwt: - description: |- - Jwt authenticates with Vault by passing role and JWT token using the - JWT/OIDC authentication method - properties: - kubernetesServiceAccountToken: - description: |- - Optional ServiceAccountToken specifies the Kubernetes service account for which to request - a token for with the `TokenRequest` API. - properties: - audiences: - description: |- - Optional audiences field that will be used to request a temporary Kubernetes service - account token for the service account referenced by `serviceAccountRef`. - Defaults to a single audience `vault` it not specified. - Deprecated: use serviceAccountRef.Audiences instead - items: - type: string - type: array - expirationSeconds: - description: |- - Optional expiration time in seconds that will be used to request a temporary - Kubernetes service account token for the service account referenced by - `serviceAccountRef`. - Deprecated: this will be removed in the future. - Defaults to 10 minutes. - format: int64 - type: integer - serviceAccountRef: - description: Service account field containing the name of a kubernetes ServiceAccount. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - serviceAccountRef - type: object - path: - default: jwt - description: |- - Path where the JWT authentication backend is mounted - in Vault, e.g: "jwt" - type: string - role: - description: |- - Role is a JWT role to authenticate using the JWT/OIDC Vault - authentication method - type: string - secretRef: - description: |- - Optional SecretRef that refers to a key in a Secret resource containing JWT token to - authenticate with Vault using the JWT/OIDC authentication method. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - required: - - path - type: object - kubernetes: - description: |- - Kubernetes authenticates with Vault by passing the ServiceAccount - token stored in the named Secret resource to the Vault server. - properties: - mountPath: - default: kubernetes - description: |- - Path where the Kubernetes authentication backend is mounted in Vault, e.g: - "kubernetes" - type: string - role: - description: |- - A required field containing the Vault Role to assume. A Role binds a - Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: |- - Optional secret field containing a Kubernetes ServiceAccount JWT used - for authenticating with Vault. If a name is specified without a key, - `token` is the default. If one is not specified, the one bound to - the controller will be used. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - serviceAccountRef: - description: |- - Optional service account field containing the name of a kubernetes ServiceAccount. - If the service account is specified, the service account secret token JWT will be used - for authenticating with Vault. If the service account selector is not supplied, - the secretRef will be used instead. - properties: - audiences: - description: |- - Audience specifies the `aud` claim for the service account token - If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity - then this audiences will be appended to the list - items: - type: string - type: array - name: - description: The name of the ServiceAccount resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - required: - - name - type: object - required: - - mountPath - - role - type: object - ldap: - description: |- - Ldap authenticates with Vault by passing username/password pair using - the LDAP authentication method - properties: - path: - default: ldap - description: |- - Path where the LDAP authentication backend is mounted - in Vault, e.g: "ldap" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the LDAP - user used to authenticate with Vault using the LDAP authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a LDAP user name used to authenticate using the LDAP Vault - authentication method - type: string - required: - - path - - username - type: object - namespace: - description: |- - Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. - Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - This will default to Vault.Namespace field if set, or empty otherwise - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - userPass: - description: UserPass authenticates with Vault by passing username/password pair - properties: - path: - default: user - description: |- - Path where the UserPassword authentication backend is mounted - in Vault, e.g: "user" - type: string - secretRef: - description: |- - SecretRef to a key in a Secret resource containing password for the - user used to authenticate with Vault using the UserPass authentication - method - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - username: - description: |- - Username is a user name used to authenticate using the UserPass Vault - authentication method - type: string - required: - - path - - username - type: object - type: object - caBundle: - description: |- - PEM encoded CA bundle used to validate Vault server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate Vault server certificate. - properties: - key: - description: The key where the CA certificate can be found in the Secret or ConfigMap. - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: |- - The namespace the Provider type is in. - Can only be defined when used in a ClusterSecretStore. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - forwardInconsistent: - description: |- - ForwardInconsistent tells Vault to forward read-after-write requests to the Vault - leader instead of simply retrying within a loop. This can increase performance if - the option is enabled serverside. - https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header - type: boolean - headers: - additionalProperties: - type: string - description: Headers to be added in Vault request - type: object - namespace: - description: |- - Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows - Vault environments to support Secure Multi-tenancy. e.g: "ns1". - More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces - type: string - path: - description: |- - Path is the mount path of the Vault KV backend endpoint, e.g: - "secret". The v2 KV secret engine version specific "/data" path suffix - for fetching secrets from Vault is optional and will be appended - if not present in specified path. - type: string - readYourWrites: - description: |- - ReadYourWrites ensures isolated read-after-write semantics by - providing discovered cluster replication states in each request. - More information about eventual consistency in Vault can be found here - https://www.vaultproject.io/docs/enterprise/consistency - type: boolean - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - tls: - description: |- - The configuration used for client side related TLS communication, when the Vault server - requires mutual authentication. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - It's worth noting this configuration is different from the "TLS certificates auth method", - which is available under the `auth.cert` section. - properties: - certSecretRef: - description: |- - CertSecretRef is a certificate added to the transport layer - when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.crt'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - keySecretRef: - description: |- - KeySecretRef to a key in a Secret resource containing client private key - added to the transport layer when communicating with the Vault server. - If no key for the Secret is specified, external-secret will default to 'tls.key'. - properties: - key: - description: |- - The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be - defaulted, in others it may be required. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - namespace: - description: |- - Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults - to the namespace of the referent. - type: string - type: object - type: object - version: - default: v2 - description: |- - Version is the Vault KV secret engine version. This can be either "v1" or - "v2". Version defaults to "v2". - enum: - - v1 - - v2 - type: string - required: - - auth - - server - type: object - resultType: - default: Data - description: |- - Result type defines which data is returned from the generator. - By default it is the "data" section of the Vault API response. - When using e.g. /auth/token/create the "data" section is empty but - the "auth" section contains the generated token. - Please refer to the vault docs regarding the result data structure. - enum: - - Data - - Auth - type: string - required: - - path - - provider - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - external-secrets.io/component: controller - name: webhooks.generators.external-secrets.io -spec: - group: generators.external-secrets.io - names: - categories: - - webhook - kind: Webhook - listKind: WebhookList - plural: webhooks - shortNames: - - webhookl - singular: webhook - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - Webhook connects to a third party API server to handle the secrets generation - configuration parameters in spec. - You can specify the server, the token, and additional body parameters. - See documentation for the full API specification for requests and responses. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. - properties: - body: - description: Body - type: string - caBundle: - description: |- - PEM encoded CA bundle used to validate webhook server certificate. Only used - if the Server URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root certificates - are used to validate the TLS connection. - format: byte - type: string - caProvider: - description: The provider for the CA bundle to use to validate webhook server certificate. - properties: - key: - description: The key the value inside of the provider type to use, only used with "Secret" type - type: string - name: - description: The name of the object located at the provider type. - type: string - namespace: - description: The namespace the Provider type is in. - type: string - type: - description: The type of provider to use such as "Secret", or "ConfigMap". - enum: - - Secret - - ConfigMap - type: string - required: - - name - - type - type: object - headers: - additionalProperties: - type: string - description: Headers - type: object - method: - description: Webhook Method - type: string - result: - description: Result formatting - properties: - jsonPath: - description: Json path of return value - type: string - type: object - secrets: - description: |- - Secrets to fill in templates - These secrets will be passed to the templating function as key value pairs under the given name - items: - properties: - name: - description: Name of this secret in templates - type: string - secretRef: - description: Secret ref to fill in credentials - properties: - key: - description: The key where the token is found. - type: string - name: - description: The name of the Secret resource being referred to. - type: string - type: object - required: - - name - - secretRef - type: object - type: array - timeout: - description: Timeout - type: string - url: - description: Webhook url to call - type: string - required: - - result - - url - type: object - type: object - served: true - storage: true - subresources: - status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: - - v1 - clientConfig: - service: - name: golang-external-secrets-webhook - namespace: "default" - path: /convert ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "apiextensions.k8s.io" - resources: - - "customresourcedefinitions" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "admissionregistration.k8s.io" - resources: - - "validatingwebhookconfigurations" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "endpoints" - verbs: - - "list" - - "get" - - "watch" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "secretstores" - - "clustersecretstores" - - "externalsecrets" - - "clusterexternalsecrets" - - "pushsecrets" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "externalsecrets/status" - - "externalsecrets/finalizers" - - "secretstores" - - "secretstores/status" - - "secretstores/finalizers" - - "clustersecretstores" - - "clustersecretstores/status" - - "clustersecretstores/finalizers" - - "clusterexternalsecrets" - - "clusterexternalsecrets/status" - - "clusterexternalsecrets/finalizers" - - "pushsecrets" - - "pushsecrets/status" - - "pushsecrets/finalizers" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "serviceaccounts" - - "namespaces" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "get" - - "list" - - "watch" - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "get" - - "list" - - "watch" - - "create" - - "update" - - "delete" - - "patch" - - apiGroups: - - "" - resources: - - "serviceaccounts/token" - verbs: - - "create" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "create" - - "patch" - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "create" - - "update" - - "delete" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-view - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "get" - - "watch" - - "list" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "get" - - "watch" - - "list" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-edit - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - - "secretstores" - - "clustersecretstores" - - "pushsecrets" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" - - apiGroups: - - "generators.external-secrets.io" - resources: - - "acraccesstokens" - - "ecrauthorizationtokens" - - "fakes" - - "gcraccesstokens" - - "githubaccesstokens" - - "passwords" - - "vaultdynamicsecrets" - - "webhooks" - verbs: - - "create" - - "delete" - - "deletecollection" - - "patch" - - "update" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: golang-external-secrets-servicebindings - labels: - servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "external-secrets.io" - resources: - - "externalsecrets" - verbs: - - "get" - - "list" - - "watch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: golang-external-secrets-cert-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: golang-external-secrets-cert-controller -subjects: - - name: external-secrets-cert-controller - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: golang-external-secrets-controller - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: golang-external-secrets-controller -subjects: - - name: golang-external-secrets - namespace: default - kind: ServiceAccount ---- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: role-tokenreview-binding - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: golang-external-secrets - namespace: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - - "configmaps" - resourceNames: - - "external-secrets-controller" - verbs: - - "get" - - "update" - - "patch" - - apiGroups: - - "" - resources: - - "configmaps" - verbs: - - "create" - - apiGroups: - - "coordination.k8s.io" - resources: - - "leases" - verbs: - - "get" - - "create" - - "update" - - "patch" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: golang-external-secrets-leaderelection - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: golang-external-secrets-leaderelection -subjects: - - kind: ServiceAccount - name: golang-external-secrets - namespace: default ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - external-secrets.io/component: webhook -spec: - type: ClusterIP - ports: - - port: 443 - targetPort: 10250 - protocol: TCP - name: webhook - selector: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets ---- -# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets-cert-controller - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: external-secrets-cert-controller - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: cert-controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - certcontroller - - --crd-requeue-interval=5m - - --service-name=golang-external-secrets-webhook - - --service-namespace=default - - --secret-name=golang-external-secrets-webhook - - --secret-namespace=default - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - - --enable-partial-cache=true - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - serviceAccountName: golang-external-secrets - automountServiceAccountToken: true - hostNetwork: false - containers: - - name: external-secrets - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - --concurrent=1 - - --metrics-addr=:8080 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - dnsPolicy: ClusterFirst ---- -# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-external-secrets-webhook - namespace: default - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - template: - metadata: - labels: - helm.sh/chart: external-secrets-0.10.0 - app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.10.0" - app.kubernetes.io/managed-by: Helm - spec: - hostNetwork: false - serviceAccountName: external-secrets-webhook - automountServiceAccountToken: true - containers: - - name: webhook - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi - imagePullPolicy: IfNotPresent - args: - - webhook - - --port=10250 - - --dns-name=golang-external-secrets-webhook.default.svc - - --cert-dir=/tmp/certs - - --check-interval=5m - - --metrics-addr=:8080 - - --healthz-addr=:8081 - - --loglevel=info - - --zap-time-encoding=epoch - ports: - - containerPort: 8080 - protocol: TCP - name: metrics - - containerPort: 10250 - protocol: TCP - name: webhook - readinessProbe: - httpGet: - port: 8081 - path: /readyz - initialDelaySeconds: 20 - periodSeconds: 5 - volumeMounts: - - name: certs - mountPath: /tmp/certs - readOnly: true - volumes: - - name: certs - secret: - secretName: golang-external-secrets-webhook ---- -# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.apps.hub.example.com - path: secret - # Version of KV backend - version: v2 - - caProvider: - type: ConfigMap - name: kube-root-ca.crt - key: ca.crt - namespace: golang-external-secrets - - auth: - kubernetes: - - mountPath: hub - role: hub-role - - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: secretstore-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.secretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["secretstores"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-secretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - -- name: "validate.clustersecretstore.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["clustersecretstores"] - scope: "Cluster" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-clustersecretstore - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 ---- -# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: externalsecret-validate - labels: - external-secrets.io/component: webhook -webhooks: -- name: "validate.externalsecret.external-secrets.io" - rules: - - apiGroups: ["external-secrets.io"] - apiVersions: ["v1beta1"] - operations: ["CREATE", "UPDATE", "DELETE"] - resources: ["externalsecrets"] - scope: "Namespaced" - clientConfig: - service: - namespace: default - name: golang-external-secrets-webhook - path: /validate-external-secrets-io-v1beta1-externalsecret - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 5 - failurePolicy: Fail diff --git a/common/tests/golang-external-secrets.expected.diff b/common/tests/golang-external-secrets.expected.diff deleted file mode 100644 index 19d26594..00000000 --- a/common/tests/golang-external-secrets.expected.diff +++ /dev/null @@ -1,11 +0,0 @@ ---- tests/golang-external-secrets-naked.expected.yaml -+++ tests/golang-external-secrets-normal.expected.yaml -@@ -6337,7 +6337,7 @@ - spec: - provider: - vault: -- server: https://vault-vault.hub.example.com -+ server: https://vault-vault.apps.hub.example.com - path: secret - # Version of KV backend - version: v2 diff --git a/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml b/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml deleted file mode 100644 index fb8f1c8e..00000000 --- a/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,410 +0,0 @@ ---- -# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm ---- -# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: hashicorp-vault-config - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -data: - extraconfig-from-values.hcl: |- - - disable_mlock = true - ui = true - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-secret/tls.crt" - tls_key_file = "/vault/userconfig/vault-secret/tls.key" - } - storage "file" { - path = "/vault/data" - } ---- -# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: hashicorp-vault-server-binding - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: hashicorp-vault - namespace: pattern-namespace ---- -# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault-internal - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm - vault-internal: "true" - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "http" - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/server-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret -spec: - # We want the servers to become available even if they're not ready - # since this DNS is also used for join operations. - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault-ui - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault-ui - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - type: ClusterIP ---- -# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml -# StatefulSet to run the actual vault server cluster. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - serviceName: hashicorp-vault-internal - podManagementPolicy: Parallel - replicas: 1 - updateStrategy: - type: OnDelete - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - template: - metadata: - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - annotations: - spec: - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: "hashicorp-vault" - component: server - topologyKey: kubernetes.io/hostname - - - - - terminationGracePeriodSeconds: 10 - serviceAccountName: hashicorp-vault - - volumes: - - - name: config - configMap: - name: hashicorp-vault-config - - - name: userconfig-vault-secret - secret: - secretName: vault-secret - defaultMode: 420 - - name: home - emptyDir: {} - containers: - - name: vault - - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - command: - - "/bin/sh" - - "-ec" - args: - - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; - [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; - [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl - - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).hashicorp-vault-internal:8201" - - name: HOME - value: "/home/vault" - - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - - volumeMounts: - - - - - name: data - mountPath: /vault/data - - - - - name: config - mountPath: /vault/config - - - name: userconfig-vault-secret - readOnly: true - mountPath: /vault/userconfig/vault-secret - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: http - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: http-rep - readinessProbe: - # Check status; unsealed vault servers return 0 - # The exit code reflects the seal status: - # 0 - unsealed - # 1 - error - # 2 - sealed - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This - # causes issues with graceful shutdowns such as deregistering itself - # from Consul (zombie services). - preStop: - exec: - command: [ - "/bin/sh", "-c", - # Adding a sleep here to give the pod eviction a - # chance to propagate, so requests will not be made - # to this pod while it's terminating - "sleep 5 && kill -SIGTERM $(pidof vault)", - ] - - - volumeClaimTemplates: - - metadata: - name: data - - - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi ---- -# Source: hashicorp-vault/templates/vault-app.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: vault-link - namespace: vault -spec: - applicationMenu: - section: HashiCorp Vault - imageURL:  - href: 'https://vault-vault.apps.region.example.com' - location: ApplicationMenu - text: 'Vault' ---- -# Source: hashicorp-vault/charts/vault/templates/server-route.yaml -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - host: - to: - kind: Service - name: hashicorp-vault - weight: 100 - port: - targetPort: 8200 - tls: - termination: reencrypt ---- -# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: hashicorp-vault-server-test - namespace: pattern-namespace - annotations: - "helm.sh/hook": test -spec: - - containers: - - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: http://hashicorp-vault.pattern-namespace.svc:8200 - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - volumes: - restartPolicy: Never diff --git a/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml b/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml deleted file mode 100644 index fb8f1c8e..00000000 --- a/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,410 +0,0 @@ ---- -# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm ---- -# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: hashicorp-vault-config - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -data: - extraconfig-from-values.hcl: |- - - disable_mlock = true - ui = true - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-secret/tls.crt" - tls_key_file = "/vault/userconfig/vault-secret/tls.key" - } - storage "file" { - path = "/vault/data" - } ---- -# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: hashicorp-vault-server-binding - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: hashicorp-vault - namespace: pattern-namespace ---- -# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault-internal - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm - vault-internal: "true" - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "http" - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/server-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret -spec: - # We want the servers to become available even if they're not ready - # since this DNS is also used for join operations. - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault-ui - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault-ui - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - type: ClusterIP ---- -# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml -# StatefulSet to run the actual vault server cluster. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - serviceName: hashicorp-vault-internal - podManagementPolicy: Parallel - replicas: 1 - updateStrategy: - type: OnDelete - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - template: - metadata: - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - annotations: - spec: - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: "hashicorp-vault" - component: server - topologyKey: kubernetes.io/hostname - - - - - terminationGracePeriodSeconds: 10 - serviceAccountName: hashicorp-vault - - volumes: - - - name: config - configMap: - name: hashicorp-vault-config - - - name: userconfig-vault-secret - secret: - secretName: vault-secret - defaultMode: 420 - - name: home - emptyDir: {} - containers: - - name: vault - - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - command: - - "/bin/sh" - - "-ec" - args: - - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; - [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; - [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl - - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).hashicorp-vault-internal:8201" - - name: HOME - value: "/home/vault" - - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - - volumeMounts: - - - - - name: data - mountPath: /vault/data - - - - - name: config - mountPath: /vault/config - - - name: userconfig-vault-secret - readOnly: true - mountPath: /vault/userconfig/vault-secret - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: http - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: http-rep - readinessProbe: - # Check status; unsealed vault servers return 0 - # The exit code reflects the seal status: - # 0 - unsealed - # 1 - error - # 2 - sealed - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This - # causes issues with graceful shutdowns such as deregistering itself - # from Consul (zombie services). - preStop: - exec: - command: [ - "/bin/sh", "-c", - # Adding a sleep here to give the pod eviction a - # chance to propagate, so requests will not be made - # to this pod while it's terminating - "sleep 5 && kill -SIGTERM $(pidof vault)", - ] - - - volumeClaimTemplates: - - metadata: - name: data - - - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi ---- -# Source: hashicorp-vault/templates/vault-app.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: vault-link - namespace: vault -spec: - applicationMenu: - section: HashiCorp Vault - imageURL:  - href: 'https://vault-vault.apps.region.example.com' - location: ApplicationMenu - text: 'Vault' ---- -# Source: hashicorp-vault/charts/vault/templates/server-route.yaml -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - host: - to: - kind: Service - name: hashicorp-vault - weight: 100 - port: - targetPort: 8200 - tls: - termination: reencrypt ---- -# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: hashicorp-vault-server-test - namespace: pattern-namespace - annotations: - "helm.sh/hook": test -spec: - - containers: - - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: http://hashicorp-vault.pattern-namespace.svc:8200 - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - volumes: - restartPolicy: Never diff --git a/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml b/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index fb8f1c8e..00000000 --- a/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,410 +0,0 @@ ---- -# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm ---- -# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: hashicorp-vault-config - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -data: - extraconfig-from-values.hcl: |- - - disable_mlock = true - ui = true - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-secret/tls.crt" - tls_key_file = "/vault/userconfig/vault-secret/tls.key" - } - storage "file" { - path = "/vault/data" - } ---- -# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: hashicorp-vault-server-binding - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: hashicorp-vault - namespace: pattern-namespace ---- -# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault-internal - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm - vault-internal: "true" - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "http" - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/server-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret -spec: - # We want the servers to become available even if they're not ready - # since this DNS is also used for join operations. - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault-ui - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault-ui - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - type: ClusterIP ---- -# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml -# StatefulSet to run the actual vault server cluster. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - serviceName: hashicorp-vault-internal - podManagementPolicy: Parallel - replicas: 1 - updateStrategy: - type: OnDelete - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - template: - metadata: - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - annotations: - spec: - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: "hashicorp-vault" - component: server - topologyKey: kubernetes.io/hostname - - - - - terminationGracePeriodSeconds: 10 - serviceAccountName: hashicorp-vault - - volumes: - - - name: config - configMap: - name: hashicorp-vault-config - - - name: userconfig-vault-secret - secret: - secretName: vault-secret - defaultMode: 420 - - name: home - emptyDir: {} - containers: - - name: vault - - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - command: - - "/bin/sh" - - "-ec" - args: - - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; - [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; - [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl - - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).hashicorp-vault-internal:8201" - - name: HOME - value: "/home/vault" - - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - - volumeMounts: - - - - - name: data - mountPath: /vault/data - - - - - name: config - mountPath: /vault/config - - - name: userconfig-vault-secret - readOnly: true - mountPath: /vault/userconfig/vault-secret - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: http - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: http-rep - readinessProbe: - # Check status; unsealed vault servers return 0 - # The exit code reflects the seal status: - # 0 - unsealed - # 1 - error - # 2 - sealed - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This - # causes issues with graceful shutdowns such as deregistering itself - # from Consul (zombie services). - preStop: - exec: - command: [ - "/bin/sh", "-c", - # Adding a sleep here to give the pod eviction a - # chance to propagate, so requests will not be made - # to this pod while it's terminating - "sleep 5 && kill -SIGTERM $(pidof vault)", - ] - - - volumeClaimTemplates: - - metadata: - name: data - - - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi ---- -# Source: hashicorp-vault/templates/vault-app.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: vault-link - namespace: vault -spec: - applicationMenu: - section: HashiCorp Vault - imageURL:  - href: 'https://vault-vault.apps.region.example.com' - location: ApplicationMenu - text: 'Vault' ---- -# Source: hashicorp-vault/charts/vault/templates/server-route.yaml -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - host: - to: - kind: Service - name: hashicorp-vault - weight: 100 - port: - targetPort: 8200 - tls: - termination: reencrypt ---- -# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: hashicorp-vault-server-test - namespace: pattern-namespace - annotations: - "helm.sh/hook": test -spec: - - containers: - - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: http://hashicorp-vault.pattern-namespace.svc:8200 - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - volumes: - restartPolicy: Never diff --git a/common/tests/hashicorp-vault-naked.expected.yaml b/common/tests/hashicorp-vault-naked.expected.yaml deleted file mode 100644 index 49ea96cb..00000000 --- a/common/tests/hashicorp-vault-naked.expected.yaml +++ /dev/null @@ -1,410 +0,0 @@ ---- -# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: hashicorp-vault - namespace: default - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm ---- -# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: hashicorp-vault-config - namespace: default - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -data: - extraconfig-from-values.hcl: |- - - disable_mlock = true - ui = true - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-secret/tls.crt" - tls_key_file = "/vault/userconfig/vault-secret/tls.key" - } - storage "file" { - path = "/vault/data" - } ---- -# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: hashicorp-vault-server-binding - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: hashicorp-vault - namespace: default ---- -# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault-internal - namespace: default - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm - vault-internal: "true" - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "http" - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/server-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault - namespace: default - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret -spec: - # We want the servers to become available even if they're not ready - # since this DNS is also used for join operations. - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault-ui - namespace: default - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault-ui - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - type: ClusterIP ---- -# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml -# StatefulSet to run the actual vault server cluster. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: hashicorp-vault - namespace: default - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - serviceName: hashicorp-vault-internal - podManagementPolicy: Parallel - replicas: 1 - updateStrategy: - type: OnDelete - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - template: - metadata: - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - annotations: - spec: - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: "hashicorp-vault" - component: server - topologyKey: kubernetes.io/hostname - - - - - terminationGracePeriodSeconds: 10 - serviceAccountName: hashicorp-vault - - volumes: - - - name: config - configMap: - name: hashicorp-vault-config - - - name: userconfig-vault-secret - secret: - secretName: vault-secret - defaultMode: 420 - - name: home - emptyDir: {} - containers: - - name: vault - - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - command: - - "/bin/sh" - - "-ec" - args: - - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; - [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; - [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl - - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).hashicorp-vault-internal:8201" - - name: HOME - value: "/home/vault" - - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - - volumeMounts: - - - - - name: data - mountPath: /vault/data - - - - - name: config - mountPath: /vault/config - - - name: userconfig-vault-secret - readOnly: true - mountPath: /vault/userconfig/vault-secret - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: http - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: http-rep - readinessProbe: - # Check status; unsealed vault servers return 0 - # The exit code reflects the seal status: - # 0 - unsealed - # 1 - error - # 2 - sealed - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This - # causes issues with graceful shutdowns such as deregistering itself - # from Consul (zombie services). - preStop: - exec: - command: [ - "/bin/sh", "-c", - # Adding a sleep here to give the pod eviction a - # chance to propagate, so requests will not be made - # to this pod while it's terminating - "sleep 5 && kill -SIGTERM $(pidof vault)", - ] - - - volumeClaimTemplates: - - metadata: - name: data - - - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi ---- -# Source: hashicorp-vault/templates/vault-app.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: vault-link - namespace: vault -spec: - applicationMenu: - section: HashiCorp Vault - imageURL:  - href: 'https://vault-vault.apps.foo.cluster.com' - location: ApplicationMenu - text: 'Vault' ---- -# Source: hashicorp-vault/charts/vault/templates/server-route.yaml -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: hashicorp-vault - namespace: default - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - host: - to: - kind: Service - name: hashicorp-vault - weight: 100 - port: - targetPort: 8200 - tls: - termination: reencrypt ---- -# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: hashicorp-vault-server-test - namespace: default - annotations: - "helm.sh/hook": test -spec: - - containers: - - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: http://hashicorp-vault.default.svc:8200 - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - volumes: - restartPolicy: Never diff --git a/common/tests/hashicorp-vault-normal.expected.yaml b/common/tests/hashicorp-vault-normal.expected.yaml deleted file mode 100644 index fb8f1c8e..00000000 --- a/common/tests/hashicorp-vault-normal.expected.yaml +++ /dev/null @@ -1,410 +0,0 @@ ---- -# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm ---- -# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: hashicorp-vault-config - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -data: - extraconfig-from-values.hcl: |- - - disable_mlock = true - ui = true - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-secret/tls.crt" - tls_key_file = "/vault/userconfig/vault-secret/tls.key" - } - storage "file" { - path = "/vault/data" - } ---- -# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: hashicorp-vault-server-binding - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: hashicorp-vault - namespace: pattern-namespace ---- -# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault-internal - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm - vault-internal: "true" - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal -spec: - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: "http" - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/server-service.yaml -# Service for Vault cluster -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm - annotations: - - - service.beta.openshift.io/serving-cert-secret-name: vault-secret -spec: - # We want the servers to become available even if they're not ready - # since this DNS is also used for join operations. - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - - name: https-internal - port: 8201 - targetPort: 8201 - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server ---- -# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: hashicorp-vault-ui - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault-ui - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - selector: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - publishNotReadyAddresses: true - ports: - - name: http - port: 8200 - targetPort: 8200 - type: ClusterIP ---- -# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml -# StatefulSet to run the actual vault server cluster. -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - serviceName: hashicorp-vault-internal - podManagementPolicy: Parallel - replicas: 1 - updateStrategy: - type: OnDelete - selector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - template: - metadata: - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - component: server - annotations: - spec: - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: vault - app.kubernetes.io/instance: "hashicorp-vault" - component: server - topologyKey: kubernetes.io/hostname - - - - - terminationGracePeriodSeconds: 10 - serviceAccountName: hashicorp-vault - - volumes: - - - name: config - configMap: - name: hashicorp-vault-config - - - name: userconfig-vault-secret - secret: - secretName: vault-secret - defaultMode: 420 - - name: home - emptyDir: {} - containers: - - name: vault - - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - command: - - "/bin/sh" - - "-ec" - args: - - | - cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; - [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; - [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; - [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; - [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; - /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl - - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: VAULT_K8S_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: VAULT_ADDR - value: "http://127.0.0.1:8200" - - name: VAULT_API_ADDR - value: "http://$(POD_IP):8200" - - name: SKIP_CHOWN - value: "true" - - name: SKIP_SETCAP - value: "true" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: VAULT_CLUSTER_ADDR - value: "https://$(HOSTNAME).hashicorp-vault-internal:8201" - - name: HOME - value: "/home/vault" - - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - - volumeMounts: - - - - - name: data - mountPath: /vault/data - - - - - name: config - mountPath: /vault/config - - - name: userconfig-vault-secret - readOnly: true - mountPath: /vault/userconfig/vault-secret - - name: home - mountPath: /home/vault - ports: - - containerPort: 8200 - name: http - - containerPort: 8201 - name: https-internal - - containerPort: 8202 - name: http-rep - readinessProbe: - # Check status; unsealed vault servers return 0 - # The exit code reflects the seal status: - # 0 - unsealed - # 1 - error - # 2 - sealed - exec: - command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - lifecycle: - # Vault container doesn't receive SIGTERM from Kubernetes - # and after the grace period ends, Kube sends SIGKILL. This - # causes issues with graceful shutdowns such as deregistering itself - # from Consul (zombie services). - preStop: - exec: - command: [ - "/bin/sh", "-c", - # Adding a sleep here to give the pod eviction a - # chance to propagate, so requests will not be made - # to this pod while it's terminating - "sleep 5 && kill -SIGTERM $(pidof vault)", - ] - - - volumeClaimTemplates: - - metadata: - name: data - - - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi ---- -# Source: hashicorp-vault/templates/vault-app.yaml -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: vault-link - namespace: vault -spec: - applicationMenu: - section: HashiCorp Vault - imageURL:  - href: 'https://vault-vault.apps.region.example.com' - location: ApplicationMenu - text: 'Vault' ---- -# Source: hashicorp-vault/charts/vault/templates/server-route.yaml -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: hashicorp-vault - namespace: pattern-namespace - labels: - helm.sh/chart: vault-0.28.1 - app.kubernetes.io/name: vault - app.kubernetes.io/instance: hashicorp-vault - app.kubernetes.io/managed-by: Helm -spec: - host: - to: - kind: Service - name: hashicorp-vault - weight: 100 - port: - targetPort: 8200 - tls: - termination: reencrypt ---- -# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: hashicorp-vault-server-test - namespace: pattern-namespace - annotations: - "helm.sh/hook": test -spec: - - containers: - - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.17.3-ubi - imagePullPolicy: IfNotPresent - env: - - name: VAULT_ADDR - value: http://hashicorp-vault.pattern-namespace.svc:8200 - - - name: "VAULT_ADDR" - value: "https://vault.vault.svc.cluster.local:8200" - - name: "VAULT_CACERT" - value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - command: - - /bin/sh - - -c - - | - echo "Checking for sealed info in 'vault status' output" - ATTEMPTS=10 - n=0 - until [ "$n" -ge $ATTEMPTS ] - do - echo "Attempt" $n... - vault status -format yaml | grep -E '^sealed: (true|false)' && break - n=$((n+1)) - sleep 5 - done - if [ $n -ge $ATTEMPTS ]; then - echo "timed out looking for sealed info in 'vault status' output" - exit 1 - fi - - exit 0 - volumeMounts: - volumes: - restartPolicy: Never diff --git a/common/tests/hashicorp-vault.expected.diff b/common/tests/hashicorp-vault.expected.diff deleted file mode 100644 index 9e948a07..00000000 --- a/common/tests/hashicorp-vault.expected.diff +++ /dev/null @@ -1,11 +0,0 @@ ---- tests/hashicorp-vault-naked.expected.yaml -+++ tests/hashicorp-vault-normal.expected.yaml -@@ -341,7 +341,7 @@ - applicationMenu: - section: HashiCorp Vault - imageURL:  -- href: 'https://vault-vault.apps.foo.cluster.com' -+ href: 'https://vault-vault.apps.region.example.com' - location: ApplicationMenu - text: 'Vault' - --- diff --git a/common/tests/install-industrial-edge-factory.expected.yaml b/common/tests/install-industrial-edge-factory.expected.yaml deleted file mode 100644 index 0dfd0d84..00000000 --- a/common/tests/install-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,66 +0,0 @@ ---- -# Source: pattern-install/templates/argocd/namespace.yaml -# Pre-create so we can create our argo app for keeping subscriptions in sync -# Do it here so that we don't try to sync it in the future -apiVersion: v1 -kind: Namespace -metadata: - name: openshift-gitops ---- -# Source: pattern-install/templates/argocd/application.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: install-example - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: install-example - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-example.yaml" - # Track the progress of https://github.com/argoproj/argo-cd/pull/6280 - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: install - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.clusterVersion - value: "" - syncPolicy: - automated: {} ---- -# Source: pattern-install/templates/argocd/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: "" -spec: - channel: stable - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: install-example,openshift-gitops diff --git a/common/tests/install-industrial-edge-hub.expected.yaml b/common/tests/install-industrial-edge-hub.expected.yaml deleted file mode 100644 index 0dfd0d84..00000000 --- a/common/tests/install-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,66 +0,0 @@ ---- -# Source: pattern-install/templates/argocd/namespace.yaml -# Pre-create so we can create our argo app for keeping subscriptions in sync -# Do it here so that we don't try to sync it in the future -apiVersion: v1 -kind: Namespace -metadata: - name: openshift-gitops ---- -# Source: pattern-install/templates/argocd/application.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: install-example - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: install-example - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-example.yaml" - # Track the progress of https://github.com/argoproj/argo-cd/pull/6280 - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: install - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.clusterVersion - value: "" - syncPolicy: - automated: {} ---- -# Source: pattern-install/templates/argocd/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: "" -spec: - channel: stable - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: install-example,openshift-gitops diff --git a/common/tests/install-medical-diagnosis-hub.expected.yaml b/common/tests/install-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 0dfd0d84..00000000 --- a/common/tests/install-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,66 +0,0 @@ ---- -# Source: pattern-install/templates/argocd/namespace.yaml -# Pre-create so we can create our argo app for keeping subscriptions in sync -# Do it here so that we don't try to sync it in the future -apiVersion: v1 -kind: Namespace -metadata: - name: openshift-gitops ---- -# Source: pattern-install/templates/argocd/application.yaml -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: install-example - namespace: openshift-gitops - finalizers: - - resources-finalizer.argocd.argoproj.io/foreground -spec: - destination: - name: in-cluster - namespace: install-example - project: default - source: - repoURL: https://github.com/pattern-clone/mypattern - targetRevision: main - path: common/clustergroup - helm: - ignoreMissingValueFiles: true - valueFiles: - - "/values-global.yaml" - - "/values-example.yaml" - # Track the progress of https://github.com/argoproj/argo-cd/pull/6280 - parameters: - - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL - - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION - - name: global.namespace - value: $ARGOCD_APP_NAMESPACE - - name: global.pattern - value: install - - name: global.hubClusterDomain - value: apps.hub.example.com - - name: global.clusterVersion - value: "" - syncPolicy: - automated: {} ---- -# Source: pattern-install/templates/argocd/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-gitops-operator - namespace: openshift-operators - labels: - operators.coreos.com/openshift-gitops-operator.openshift-operators: "" -spec: - channel: stable - installPlanApproval: Automatic - name: openshift-gitops-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - config: - env: - - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES - value: install-example,openshift-gitops diff --git a/common/tests/letsencrypt-industrial-edge-factory.expected.yaml b/common/tests/letsencrypt-industrial-edge-factory.expected.yaml deleted file mode 100644 index b5aded2f..00000000 --- a/common/tests/letsencrypt-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,202 +0,0 @@ ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-operator -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: letsencrypt -spec: ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - servingCerts: - namedCertificates: - - names: - - api.region.example.com - servingCertificate: - name: api-validated-patterns-letsencrypt-cert ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: openshift-gitops - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - server: - route: - enabled: true - tls: - termination: reencrypt ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operator.openshift.io/v1alpha1 -kind: CertManager -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - managementState: "Managed" - unsupportedConfigOverrides: - # Here's an example to supply custom DNS settings. - controller: - args: - - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" - - "--dns01-recursive-nameservers-only" ---- -# Source: letsencrypt/templates/api-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: api-validated-patterns-cert - namespace: openshift-config - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: api-validated-patterns-letsencrypt-cert - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: 'api.region.example.com' - usages: - - server auth - dnsNames: - - api.region.example.com - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/wildcard-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: lets-encrypt-certs - namespace: openshift-ingress - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: lets-encrypt-wildcart-cert-tls - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: '*.apps.region.example.com' - usages: - - server auth - dnsNames: - - '*.apps.region.example.com' - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/issuer.yaml -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: validated-patterns-issuer - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: test@example.com - privateKeySecretRef: - name: validated-patterns-issuer-account-key - solvers: - - selector: {} - dns01: - route53: - region: eu-central-1 - accessKeyIDSecretRef: - name: cert-manager-dns-credentials - key: aws_access_key_id - secretAccessKeySecretRef: - name: cert-manager-dns-credentials - key: aws_secret_access_key ---- -# Source: letsencrypt/templates/credentials-request.yaml -apiVersion: cloudcredential.openshift.io/v1 -kind: CredentialsRequest -metadata: - name: letsencrypt-cert-manager-dns - namespace: openshift-cloud-credential-operator - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - providerSpec: - apiVersion: cloudcredential.openshift.io/v1 - kind: AWSProviderSpec - statementEntries: - - action: - - 'route53:ChangeResourceRecordSets' - - 'route53:GetChange' - - 'route53:ListHostedZonesByName' - - 'route53:ListHostedZones' - effect: Allow - resource: '*' - secretRef: - name: cert-manager-dns-credentials - namespace: cert-manager ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - routeAdmission: - wildcardPolicy: WildcardsAllowed - defaultCertificate: - name: lets-encrypt-wildcart-cert-tls -# Patch the cluster-wide argocd instance so it uses the ingress tls cert ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: cert-manager-operator - namespace: cert-manager-operator -spec: - targetNamespaces: - - cert-manager-operator ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: cert-manager-operator -spec: - channel: "stable-v1" - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/common/tests/letsencrypt-industrial-edge-hub.expected.yaml b/common/tests/letsencrypt-industrial-edge-hub.expected.yaml deleted file mode 100644 index b5aded2f..00000000 --- a/common/tests/letsencrypt-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,202 +0,0 @@ ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-operator -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: letsencrypt -spec: ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - servingCerts: - namedCertificates: - - names: - - api.region.example.com - servingCertificate: - name: api-validated-patterns-letsencrypt-cert ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: openshift-gitops - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - server: - route: - enabled: true - tls: - termination: reencrypt ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operator.openshift.io/v1alpha1 -kind: CertManager -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - managementState: "Managed" - unsupportedConfigOverrides: - # Here's an example to supply custom DNS settings. - controller: - args: - - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" - - "--dns01-recursive-nameservers-only" ---- -# Source: letsencrypt/templates/api-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: api-validated-patterns-cert - namespace: openshift-config - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: api-validated-patterns-letsencrypt-cert - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: 'api.region.example.com' - usages: - - server auth - dnsNames: - - api.region.example.com - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/wildcard-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: lets-encrypt-certs - namespace: openshift-ingress - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: lets-encrypt-wildcart-cert-tls - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: '*.apps.region.example.com' - usages: - - server auth - dnsNames: - - '*.apps.region.example.com' - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/issuer.yaml -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: validated-patterns-issuer - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: test@example.com - privateKeySecretRef: - name: validated-patterns-issuer-account-key - solvers: - - selector: {} - dns01: - route53: - region: eu-central-1 - accessKeyIDSecretRef: - name: cert-manager-dns-credentials - key: aws_access_key_id - secretAccessKeySecretRef: - name: cert-manager-dns-credentials - key: aws_secret_access_key ---- -# Source: letsencrypt/templates/credentials-request.yaml -apiVersion: cloudcredential.openshift.io/v1 -kind: CredentialsRequest -metadata: - name: letsencrypt-cert-manager-dns - namespace: openshift-cloud-credential-operator - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - providerSpec: - apiVersion: cloudcredential.openshift.io/v1 - kind: AWSProviderSpec - statementEntries: - - action: - - 'route53:ChangeResourceRecordSets' - - 'route53:GetChange' - - 'route53:ListHostedZonesByName' - - 'route53:ListHostedZones' - effect: Allow - resource: '*' - secretRef: - name: cert-manager-dns-credentials - namespace: cert-manager ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - routeAdmission: - wildcardPolicy: WildcardsAllowed - defaultCertificate: - name: lets-encrypt-wildcart-cert-tls -# Patch the cluster-wide argocd instance so it uses the ingress tls cert ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: cert-manager-operator - namespace: cert-manager-operator -spec: - targetNamespaces: - - cert-manager-operator ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: cert-manager-operator -spec: - channel: "stable-v1" - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml b/common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index b5aded2f..00000000 --- a/common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,202 +0,0 @@ ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-operator -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: letsencrypt -spec: ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - servingCerts: - namedCertificates: - - names: - - api.region.example.com - servingCertificate: - name: api-validated-patterns-letsencrypt-cert ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: openshift-gitops - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - server: - route: - enabled: true - tls: - termination: reencrypt ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operator.openshift.io/v1alpha1 -kind: CertManager -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - managementState: "Managed" - unsupportedConfigOverrides: - # Here's an example to supply custom DNS settings. - controller: - args: - - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" - - "--dns01-recursive-nameservers-only" ---- -# Source: letsencrypt/templates/api-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: api-validated-patterns-cert - namespace: openshift-config - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: api-validated-patterns-letsencrypt-cert - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: 'api.region.example.com' - usages: - - server auth - dnsNames: - - api.region.example.com - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/wildcard-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: lets-encrypt-certs - namespace: openshift-ingress - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: lets-encrypt-wildcart-cert-tls - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: '*.apps.region.example.com' - usages: - - server auth - dnsNames: - - '*.apps.region.example.com' - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/issuer.yaml -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: validated-patterns-issuer - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: test@example.com - privateKeySecretRef: - name: validated-patterns-issuer-account-key - solvers: - - selector: {} - dns01: - route53: - region: eu-central-1 - accessKeyIDSecretRef: - name: cert-manager-dns-credentials - key: aws_access_key_id - secretAccessKeySecretRef: - name: cert-manager-dns-credentials - key: aws_secret_access_key ---- -# Source: letsencrypt/templates/credentials-request.yaml -apiVersion: cloudcredential.openshift.io/v1 -kind: CredentialsRequest -metadata: - name: letsencrypt-cert-manager-dns - namespace: openshift-cloud-credential-operator - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - providerSpec: - apiVersion: cloudcredential.openshift.io/v1 - kind: AWSProviderSpec - statementEntries: - - action: - - 'route53:ChangeResourceRecordSets' - - 'route53:GetChange' - - 'route53:ListHostedZonesByName' - - 'route53:ListHostedZones' - effect: Allow - resource: '*' - secretRef: - name: cert-manager-dns-credentials - namespace: cert-manager ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - routeAdmission: - wildcardPolicy: WildcardsAllowed - defaultCertificate: - name: lets-encrypt-wildcart-cert-tls -# Patch the cluster-wide argocd instance so it uses the ingress tls cert ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: cert-manager-operator - namespace: cert-manager-operator -spec: - targetNamespaces: - - cert-manager-operator ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: cert-manager-operator -spec: - channel: "stable-v1" - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/common/tests/letsencrypt-naked.expected.yaml b/common/tests/letsencrypt-naked.expected.yaml deleted file mode 100644 index 73aa94a4..00000000 --- a/common/tests/letsencrypt-naked.expected.yaml +++ /dev/null @@ -1,202 +0,0 @@ ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-operator -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: letsencrypt -spec: ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - servingCerts: - namedCertificates: - - names: - - api.example.com - servingCertificate: - name: api-validated-patterns-letsencrypt-cert ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: openshift-gitops - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - server: - route: - enabled: true - tls: - termination: reencrypt ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operator.openshift.io/v1alpha1 -kind: CertManager -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - managementState: "Managed" - unsupportedConfigOverrides: - # Here's an example to supply custom DNS settings. - controller: - args: - - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" - - "--dns01-recursive-nameservers-only" ---- -# Source: letsencrypt/templates/api-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: api-validated-patterns-cert - namespace: openshift-config - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: api-validated-patterns-letsencrypt-cert - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: 'api.example.com' - usages: - - server auth - dnsNames: - - api.example.com - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/wildcard-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: lets-encrypt-certs - namespace: openshift-ingress - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: lets-encrypt-wildcart-cert-tls - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: '*.apps.example.com' - usages: - - server auth - dnsNames: - - '*.apps.example.com' - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/issuer.yaml -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: validated-patterns-issuer - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: test@example.com - privateKeySecretRef: - name: validated-patterns-issuer-account-key - solvers: - - selector: {} - dns01: - route53: - region: eu-central-1 - accessKeyIDSecretRef: - name: cert-manager-dns-credentials - key: aws_access_key_id - secretAccessKeySecretRef: - name: cert-manager-dns-credentials - key: aws_secret_access_key ---- -# Source: letsencrypt/templates/credentials-request.yaml -apiVersion: cloudcredential.openshift.io/v1 -kind: CredentialsRequest -metadata: - name: letsencrypt-cert-manager-dns - namespace: openshift-cloud-credential-operator - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - providerSpec: - apiVersion: cloudcredential.openshift.io/v1 - kind: AWSProviderSpec - statementEntries: - - action: - - 'route53:ChangeResourceRecordSets' - - 'route53:GetChange' - - 'route53:ListHostedZonesByName' - - 'route53:ListHostedZones' - effect: Allow - resource: '*' - secretRef: - name: cert-manager-dns-credentials - namespace: cert-manager ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - routeAdmission: - wildcardPolicy: WildcardsAllowed - defaultCertificate: - name: lets-encrypt-wildcart-cert-tls -# Patch the cluster-wide argocd instance so it uses the ingress tls cert ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: cert-manager-operator - namespace: cert-manager-operator -spec: - targetNamespaces: - - cert-manager-operator ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: cert-manager-operator -spec: - channel: "stable-v1" - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/common/tests/letsencrypt-normal.expected.yaml b/common/tests/letsencrypt-normal.expected.yaml deleted file mode 100644 index b5aded2f..00000000 --- a/common/tests/letsencrypt-normal.expected.yaml +++ /dev/null @@ -1,202 +0,0 @@ ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-operator -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager -spec: ---- -# Source: letsencrypt/templates/namespaces.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: letsencrypt -spec: ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - servingCerts: - namedCertificates: - - names: - - api.region.example.com - servingCertificate: - name: api-validated-patterns-letsencrypt-cert ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: openshift-gitops - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - server: - route: - enabled: true - tls: - termination: reencrypt ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operator.openshift.io/v1alpha1 -kind: CertManager -metadata: - name: cluster - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - managementState: "Managed" - unsupportedConfigOverrides: - # Here's an example to supply custom DNS settings. - controller: - args: - - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" - - "--dns01-recursive-nameservers-only" ---- -# Source: letsencrypt/templates/api-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: api-validated-patterns-cert - namespace: openshift-config - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: api-validated-patterns-letsencrypt-cert - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: 'api.region.example.com' - usages: - - server auth - dnsNames: - - api.region.example.com - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/wildcard-cert.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: lets-encrypt-certs - namespace: openshift-ingress - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - secretName: lets-encrypt-wildcart-cert-tls - duration: 168h0m0s - renewBefore: 28h0m0s - commonName: '*.apps.region.example.com' - usages: - - server auth - dnsNames: - - '*.apps.region.example.com' - issuerRef: - name: validated-patterns-issuer - kind: ClusterIssuer - subject: - organizations: - - hybrid-cloud-patterns.io ---- -# Source: letsencrypt/templates/issuer.yaml -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: validated-patterns-issuer - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: test@example.com - privateKeySecretRef: - name: validated-patterns-issuer-account-key - solvers: - - selector: {} - dns01: - route53: - region: eu-central-1 - accessKeyIDSecretRef: - name: cert-manager-dns-credentials - key: aws_access_key_id - secretAccessKeySecretRef: - name: cert-manager-dns-credentials - key: aws_secret_access_key ---- -# Source: letsencrypt/templates/credentials-request.yaml -apiVersion: cloudcredential.openshift.io/v1 -kind: CredentialsRequest -metadata: - name: letsencrypt-cert-manager-dns - namespace: openshift-cloud-credential-operator - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -spec: - providerSpec: - apiVersion: cloudcredential.openshift.io/v1 - kind: AWSProviderSpec - statementEntries: - - action: - - 'route53:ChangeResourceRecordSets' - - 'route53:GetChange' - - 'route53:ListHostedZonesByName' - - 'route53:ListHostedZones' - effect: Allow - resource: '*' - secretRef: - name: cert-manager-dns-credentials - namespace: cert-manager ---- -# Source: letsencrypt/templates/default-routes.yaml -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: default - namespace: openshift-ingress-operator - annotations: - argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true -spec: - routeAdmission: - wildcardPolicy: WildcardsAllowed - defaultCertificate: - name: lets-encrypt-wildcart-cert-tls -# Patch the cluster-wide argocd instance so it uses the ingress tls cert ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: cert-manager-operator - namespace: cert-manager-operator -spec: - targetNamespaces: - - cert-manager-operator ---- -# Source: letsencrypt/templates/cert-manager-installation.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: cert-manager-operator -spec: - channel: "stable-v1" - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/common/tests/operator-install-industrial-edge-factory.expected.yaml b/common/tests/operator-install-industrial-edge-factory.expected.yaml deleted file mode 100644 index 2bb7854e..00000000 --- a/common/tests/operator-install-industrial-edge-factory.expected.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# Source: pattern-install/templates/pattern-operator-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: patterns-operator-config - namespace: openshift-operators -data: - gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.13 - - # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace - # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan - # gitops.ManualSync: GitOpsDefaultManualSync - # gitops.name: GitOpsDefaultPackageName ---- -# Source: pattern-install/templates/pattern.yaml -apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1 -kind: Pattern -metadata: - name: operator-install - namespace: openshift-operators -spec: - clusterGroupName: example - gitSpec: - targetRepo: https://github.com/pattern-clone/mypattern - targetRevision: main - multiSourceConfig: - enabled: false ---- -# Source: pattern-install/templates/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: patterns-operator - namespace: openshift-operators - labels: - operators.coreos.com/patterns-operator.openshift-operators: "" -spec: - channel: fast - installPlanApproval: Automatic - name: patterns-operator - source: community-operators - sourceNamespace: openshift-marketplace diff --git a/common/tests/operator-install-industrial-edge-hub.expected.yaml b/common/tests/operator-install-industrial-edge-hub.expected.yaml deleted file mode 100644 index 2bb7854e..00000000 --- a/common/tests/operator-install-industrial-edge-hub.expected.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# Source: pattern-install/templates/pattern-operator-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: patterns-operator-config - namespace: openshift-operators -data: - gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.13 - - # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace - # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan - # gitops.ManualSync: GitOpsDefaultManualSync - # gitops.name: GitOpsDefaultPackageName ---- -# Source: pattern-install/templates/pattern.yaml -apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1 -kind: Pattern -metadata: - name: operator-install - namespace: openshift-operators -spec: - clusterGroupName: example - gitSpec: - targetRepo: https://github.com/pattern-clone/mypattern - targetRevision: main - multiSourceConfig: - enabled: false ---- -# Source: pattern-install/templates/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: patterns-operator - namespace: openshift-operators - labels: - operators.coreos.com/patterns-operator.openshift-operators: "" -spec: - channel: fast - installPlanApproval: Automatic - name: patterns-operator - source: community-operators - sourceNamespace: openshift-marketplace diff --git a/common/tests/operator-install-medical-diagnosis-hub.expected.yaml b/common/tests/operator-install-medical-diagnosis-hub.expected.yaml deleted file mode 100644 index 2bb7854e..00000000 --- a/common/tests/operator-install-medical-diagnosis-hub.expected.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# Source: pattern-install/templates/pattern-operator-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: patterns-operator-config - namespace: openshift-operators -data: - gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.13 - - # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace - # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan - # gitops.ManualSync: GitOpsDefaultManualSync - # gitops.name: GitOpsDefaultPackageName ---- -# Source: pattern-install/templates/pattern.yaml -apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1 -kind: Pattern -metadata: - name: operator-install - namespace: openshift-operators -spec: - clusterGroupName: example - gitSpec: - targetRepo: https://github.com/pattern-clone/mypattern - targetRevision: main - multiSourceConfig: - enabled: false ---- -# Source: pattern-install/templates/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: patterns-operator - namespace: openshift-operators - labels: - operators.coreos.com/patterns-operator.openshift-operators: "" -spec: - channel: fast - installPlanApproval: Automatic - name: patterns-operator - source: community-operators - sourceNamespace: openshift-marketplace diff --git a/common/tests/operator-install-naked.expected.yaml b/common/tests/operator-install-naked.expected.yaml deleted file mode 100644 index d5f75c80..00000000 --- a/common/tests/operator-install-naked.expected.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# Source: pattern-install/templates/pattern-operator-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: patterns-operator-config - namespace: openshift-operators -data: - gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.13 - - # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace - # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan - # gitops.ManualSync: GitOpsDefaultManualSync - # gitops.name: GitOpsDefaultPackageName ---- -# Source: pattern-install/templates/pattern.yaml -apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1 -kind: Pattern -metadata: - name: operator-install - namespace: openshift-operators -spec: - clusterGroupName: default - gitSpec: - targetRepo: https://github.com/pattern-clone/mypattern - targetRevision: main - multiSourceConfig: - enabled: false ---- -# Source: pattern-install/templates/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: patterns-operator - namespace: openshift-operators - labels: - operators.coreos.com/patterns-operator.openshift-operators: "" -spec: - channel: fast - installPlanApproval: Automatic - name: patterns-operator - source: community-operators - sourceNamespace: openshift-marketplace diff --git a/common/tests/operator-install-normal.expected.yaml b/common/tests/operator-install-normal.expected.yaml deleted file mode 100644 index 2bb7854e..00000000 --- a/common/tests/operator-install-normal.expected.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# Source: pattern-install/templates/pattern-operator-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: patterns-operator-config - namespace: openshift-operators -data: - gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.13 - - # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace - # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan - # gitops.ManualSync: GitOpsDefaultManualSync - # gitops.name: GitOpsDefaultPackageName ---- -# Source: pattern-install/templates/pattern.yaml -apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1 -kind: Pattern -metadata: - name: operator-install - namespace: openshift-operators -spec: - clusterGroupName: example - gitSpec: - targetRepo: https://github.com/pattern-clone/mypattern - targetRevision: main - multiSourceConfig: - enabled: false ---- -# Source: pattern-install/templates/subscription.yaml -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: patterns-operator - namespace: openshift-operators - labels: - operators.coreos.com/patterns-operator.openshift-operators: "" -spec: - channel: fast - installPlanApproval: Automatic - name: patterns-operator - source: community-operators - sourceNamespace: openshift-marketplace diff --git a/common/tests/operator-install.expected.diff b/common/tests/operator-install.expected.diff deleted file mode 100644 index 3f73da90..00000000 --- a/common/tests/operator-install.expected.diff +++ /dev/null @@ -1,11 +0,0 @@ ---- tests/operator-install-naked.expected.yaml -+++ tests/operator-install-normal.expected.yaml -@@ -6,7 +6,7 @@ - name: operator-install - namespace: openshift-operators - spec: -- clusterGroupName: default -+ clusterGroupName: example - gitSpec: - targetRepo: https://github.com/pattern-clone/mypattern - targetRevision: main diff --git a/common/values-global.yaml b/common/values-global.yaml deleted file mode 100644 index 684f89f2..00000000 --- a/common/values-global.yaml +++ /dev/null @@ -1,20 +0,0 @@ -global: - options: - useCSV: True - syncPolicy: Manual - installPlanApproval: Automatic - applicationRetryLimit: 20 - - git: - hostname: github.com - # Account is the user or organization under which the pattern repos lives - account: hybrid-cloud-patterns - email: someone@somewhere.com - dev_revision: main - - secretStore: - backend: vault - -main: - clusterGroupName: example - diff --git a/values-global.yaml b/values-global.yaml index 77540952..73a363e4 100644 --- a/values-global.yaml +++ b/values-global.yaml @@ -1,6 +1,6 @@ --- global: - pattern: multicloud-gitops + pattern: connected-vehicle-architecture options: useCSV: false @@ -9,3 +9,6 @@ global: main: clusterGroupName: hub + multiSourceConfig: + enabled: true + clusterGroupVersion: "0.9.*" diff --git a/values-hub.yaml b/values-hub.yaml index d29ad7b0..e014f533 100644 --- a/values-hub.yaml +++ b/values-hub.yaml @@ -45,13 +45,15 @@ clusterGroup: name: vault namespace: vault project: hub - path: common/hashicorp-vault + chart: hashicorp-vault + chartVersion: 0.1.* golang-external-secrets: name: golang-external-secrets namespace: golang-external-secrets project: hub - path: common/golang-external-secrets + chart: golang-external-secrets + chartVersion: 0.1.* bobbycar-core-infra: name: bobbycar-core-infra @@ -66,7 +68,6 @@ clusterGroup: - /spec/config/retention.ms - /spec/config/segement.bytes - bobbycar-core-apps: name: bobbycar-core-apps namespace: bobbycar