diff --git a/common/.ansible-lint b/common/.ansible-lint index 353222eb..aaffc6b5 100644 --- a/common/.ansible-lint +++ b/common/.ansible-lint @@ -14,4 +14,7 @@ skip_list: exclude_paths: - ./ansible/playbooks/vault/vault.yaml - ./ansible/playbooks/iib-ci/iib-ci.yaml + - ./ansible/playbooks/k8s_secrets/k8s_secrets.yml + - ./ansible/playbooks/process_secrets/process_secrets.yml + - ./ansible/playbooks/process_secrets/display_secrets_info.yml - ./ansible/roles/vault_utils/tests/test.yml diff --git a/common/.github/workflows/chart-branches.yml b/common/.github/workflows/chart-branches.yml index d93b1dbb..1a4fb455 100644 --- a/common/.github/workflows/chart-branches.yml +++ b/common/.github/workflows/chart-branches.yml @@ -32,7 +32,7 @@ jobs: - name: Checkout Code uses: actions/checkout@v4 - - uses: dorny/paths-filter@v2 + - uses: dorny/paths-filter@v3 id: filter with: filters: | diff --git a/common/.github/workflows/linter.yml b/common/.github/workflows/linter.yml index 947cc127..39843f26 100644 --- a/common/.github/workflows/linter.yml +++ b/common/.github/workflows/linter.yml @@ -34,9 +34,9 @@ jobs: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 - name: Setup helm - uses: azure/setup-helm@v3 + uses: azure/setup-helm@v4 with: - version: 'v3.12.3' + version: 'v3.13.2' ################################ diff --git a/common/.gitignore b/common/.gitignore index 9e5051a8..454efc9e 100644 --- a/common/.gitignore +++ b/common/.gitignore @@ -5,6 +5,7 @@ __pycache__/ *.swo values-secret.yaml .*.expected.yaml +.vscode pattern-vault.init pattern-vault.init.bak super-linter.log diff --git a/common/Makefile b/common/Makefile index d07ca5cd..86cb5177 100644 --- a/common/Makefile +++ b/common/Makefile @@ -1,4 +1,5 @@ NAME ?= $(shell basename "`pwd`") + ifneq ($(origin TARGET_SITE), undefined) TARGET_SITE_OPT=--set main.clusterGroupName=$(TARGET_SITE) endif @@ -55,11 +56,12 @@ help: ## This help message show: ## show the starting template without installing it helm template common/operator-install/ --name-template $(NAME) $(HELM_OPTS) -preview-all: +preview-all: ## (EXPERIMENTAL) Previews all applications on hub and managed clusters + @echo "NOTE: This is just a tentative approximation of rendering all hub and managed clusters templates" @common/scripts/preview-all.sh $(TARGET_REPO) $(TARGET_BRANCH) preview-%: - CLUSTERGROUP?=$(shell yq ".main.clusterGroupName" values-global.yaml) + $(eval CLUSTERGROUP ?= $(shell yq ".main.clusterGroupName" values-global.yaml)) @common/scripts/preview.sh $(CLUSTERGROUP) $* $(TARGET_REPO) $(TARGET_BRANCH) .PHONY: operator-deploy @@ -77,15 +79,41 @@ uninstall: ## runs helm uninstall @oc delete csv -n openshift-operators $(CSV) .PHONY: load-secrets -load-secrets: ## loads the secrets into the vault +load-secrets: ## loads the secrets into the backend determined by values-global setting + common/scripts/process-secrets.sh $(NAME) + +.PHONY: legacy-load-secrets +legacy-load-secrets: ## loads the secrets into vault (only) common/scripts/vault-utils.sh push_secrets $(NAME) +.PHONY: secrets-backend-vault +secrets-backend-vault: ## Edits values files to use default Vault+ESO secrets config + common/scripts/set-secret-backend.sh vault + common/scripts/manage-secret-app.sh vault present + common/scripts/manage-secret-app.sh golang-external-secrets present + common/scripts/manage-secret-namespace.sh validated-patterns-secrets absent + @git diff --exit-code || echo "Secrets backend set to vault, please review changes, commit, and push to activate in the pattern" + +.PHONY: secrets-backend-kubernetes +secrets-backend-kubernetes: ## Edits values file to use Kubernetes+ESO secrets config + common/scripts/set-secret-backend.sh kubernetes + common/scripts/manage-secret-namespace.sh validated-patterns-secrets present + common/scripts/manage-secret-app.sh vault absent + common/scripts/manage-secret-app.sh golang-external-secrets present + @git diff --exit-code || echo "Secrets backend set to kubernetes, please review changes, commit, and push to activate in the pattern" + +.PHONY: secrets-backend-none +secrets-backend-none: ## Edits values files to remove secrets manager + ESO + common/scripts/set-secret-backend.sh none + common/scripts/manage-secret-app.sh vault absent + common/scripts/manage-secret-app.sh golang-external-secrets absent + common/scripts/manage-secret-namespace.sh validated-patterns-secrets absent + @git diff --exit-code || echo "Secrets backend set to none, please review changes, commit, and push to activate in the pattern" + .PHONY: load-iib load-iib: ## CI target to install Index Image Bundles @set -e; if [ x$(INDEX_IMAGES) != x ]; then \ - for IIB in $(shell echo $(INDEX_IMAGES) | tr ',' '\n'); do \ - INDEX_IMAGE="$${IIB}" ansible-playbook common/ansible/playbooks/iib-ci/iib-ci.yaml; \ - done; \ + ansible-playbook common/ansible/playbooks/iib-ci/iib-ci.yaml; \ else \ echo "No INDEX_IMAGES defined. Bailing out"; \ exit 1; \ @@ -99,14 +127,9 @@ load-iib: ## CI target to install Index Image Bundles .PHONY: validate-origin validate-origin: ## verify the git origin is available @echo "Checking repository:" - @echo -n " $(TARGET_REPO) - branch $(TARGET_BRANCH): " - @if [ ! -f /run/.containerenv ]; then\ - git ls-remote --exit-code --heads $(TARGET_REPO) $(TARGET_BRANCH) >/dev/null &&\ - echo "OK" ||\ - (echo "NOT FOUND"; exit 1);\ - else\ - echo "Running inside a container: Skipping git ssh checks";\ - fi + @echo -n " $(TARGET_REPO) - branch '$(TARGET_BRANCH)': " + @git ls-remote --exit-code --heads $(TARGET_REPO) $(TARGET_BRANCH) >/dev/null &&\ + echo "OK" || (echo "NOT FOUND"; exit 1) .PHONY: validate-cluster validate-cluster: ## Do some cluster validations before installing @@ -130,15 +153,19 @@ validate-schema: ## validates values files against schema in common/clustergroup .PHONY: validate-prereq validate-prereq: ## verify pre-requisites - @echo "Checking prerequisites:" - @for t in $(EXECUTABLES); do if ! which $$t > /dev/null 2>&1; then echo "No $$t in PATH"; exit 1; fi; done - @echo " Check for '$(EXECUTABLES)': OK" - @echo -n " Check for python-kubernetes: " - @if ! ansible -m ansible.builtin.command -a "{{ ansible_python_interpreter }} -c 'import kubernetes'" localhost > /dev/null 2>&1; then echo "Not found"; exit 1; fi - @echo "OK" - @echo -n " Check for kubernetes.core collection: " - @if ! ansible-galaxy collection list | grep kubernetes.core > /dev/null 2>&1; then echo "Not found"; exit 1; fi - @echo "OK" + @if [ ! -f /run/.containerenv ]; then\ + echo "Checking prerequisites:";\ + for t in $(EXECUTABLES); do if ! which $$t > /dev/null 2>&1; then echo "No $$t in PATH"; exit 1; fi; done;\ + echo " Check for '$(EXECUTABLES)': OK";\ + echo -n " Check for python-kubernetes: ";\ + if ! ansible -m ansible.builtin.command -a "{{ ansible_python_interpreter }} -c 'import kubernetes'" localhost > /dev/null 2>&1; then echo "Not found"; exit 1; fi;\ + echo "OK";\ + echo -n " Check for kubernetes.core collection: ";\ + if ! ansible-galaxy collection list | grep kubernetes.core > /dev/null 2>&1; then echo "Not found"; exit 1; fi;\ + echo "OK";\ + else\ + echo "Skipping prerequisites check as we're running inside a container";\ + fi .PHONY: argo-healthcheck argo-healthcheck: ## Checks if all argo applications are synced diff --git a/common/acm/templates/_helpers.tpl b/common/acm/templates/_helpers.tpl index fdd91273..910b3970 100644 --- a/common/acm/templates/_helpers.tpl +++ b/common/acm/templates/_helpers.tpl @@ -5,9 +5,9 @@ Default always defined valueFiles to be included when pushing the cluster wide a - "/values-global.yaml" - "/values-{{ .name }}.yaml" - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml' -- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}.yaml' +- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml' - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml' # We cannot use $.Values.global.clusterVersion because that gets resolved to the # hub's cluster version, whereas we want to include the spoke cluster version -- '/values-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}-{{ .name }}.yaml' +- '/values-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml' {{- end }} {{- /*acm.app.policies.valuefiles */}} diff --git a/common/acm/templates/multiclusterhub.yaml b/common/acm/templates/multiclusterhub.yaml index 79ef9339..a4e8b89b 100644 --- a/common/acm/templates/multiclusterhub.yaml +++ b/common/acm/templates/multiclusterhub.yaml @@ -1,3 +1,7 @@ +{{- $channel := "" }} +{{- if .Values.acm.mce_operator.channel }} +{{- $channel = printf ",\"channel\": \"%s\"" .Values.acm.mce_operator.channel }} +{{- end }} apiVersion: operator.open-cluster-management.io/v1 kind: MultiClusterHub metadata: @@ -5,7 +9,5 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" - {{- if kindIs "map" .Values.clusterGroup.subscriptions }} - installer.open-cluster-management.io/mce-subscription-spec: '{"source": "{{ default "redhat-operators" .Values.clusterGroup.subscriptions.acm.source }}" }' - {{- end }} + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "{{ default "redhat-operators" .Values.acm.mce_operator.source }}" {{- $channel }} }' spec: {} diff --git a/common/acm/templates/policies/application-policies.yaml b/common/acm/templates/policies/application-policies.yaml index e2e717ca..131f4f3e 100644 --- a/common/acm/templates/policies/application-policies.yaml +++ b/common/acm/templates/policies/application-policies.yaml @@ -1,4 +1,5 @@ # TODO: Also create a GitOpsCluster.apps.open-cluster-management.io +{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }} {{- range .Values.clusterGroup.managedClusterGroups }} {{- $group := . }} {{- if not .hostedArgoSites }} @@ -43,18 +44,15 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - {{- include "acm.app.policies.valuefiles" . | nindent 24 }} + {{- include "acm.app.policies.valuefiles" . | nindent 22 }} {{- range $valueFile := $.Values.global.extraValueFiles }} - {{ $valueFile | quote }} {{- end }} - {{- range $valueFile := .extraValueFiles }} - - {{ $valueFile | quote }} - {{- end }} parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: {{ $.Values.global.repoURL }} - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: {{ $.Values.global.targetRevision }} - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -63,18 +61,18 @@ spec: value: {{ $.Values.global.hubClusterDomain }} - name: global.localClusterDomain value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}` }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}` }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}' + value: '{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}' - name: global.localClusterName value: '{{ `{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}` }}' - name: global.clusterPlatform value: {{ $.Values.global.clusterPlatform }} - name: clusterGroup.name value: {{ $group.name }} + - name: global.experimentalCapabilities + value: {{ $.Values.global.experimentalCapabilities }} {{- range .helmOverrides }} - name: {{ .name }} value: {{ .value | quote }} diff --git a/common/acm/templates/policies/ocp-gitops-policy.yaml b/common/acm/templates/policies/ocp-gitops-policy.yaml index 4691c18d..bec5b343 100644 --- a/common/acm/templates/policies/ocp-gitops-policy.yaml +++ b/common/acm/templates/policies/ocp-gitops-policy.yaml @@ -1,3 +1,4 @@ +{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }} apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: @@ -24,6 +25,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -35,7 +45,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: {{ default "gitops-1.8" .Values.main.gitops.channel }} + channel: {{ default "gitops-1.12" .Values.main.gitops.channel }} installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators @@ -44,6 +54,163 @@ spec: env: - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES value: "*" +{{- if $hasInitContainerCapability }} + - complianceType: mustonlyhave + objectDefinition: + apiVersion: argoproj.io/v1beta1 + kind: ArgoCD + metadata: + name: openshift-gitops + namespace: openshift-gitops + spec: + applicationSet: + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + webhookServer: + ingress: + enabled: false + route: + enabled: false + controller: + processors: {} + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: 250m + memory: 1Gi + sharding: {} + grafana: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + route: + enabled: false + ha: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + initialSSHKnownHosts: {} + monitoring: + enabled: false + notifications: + enabled: false + prometheus: + enabled: false + ingress: + enabled: false + route: + enabled: false + rbac: + defaultPolicy: "" + policy: |- + g, system:cluster-admins, role:admin + g, cluster-admins, role:admin + scopes: '[groups]' + redis: + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + repo: + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt + || true + image: registry.access.redhat.com/ubi9/ubi-minimal:latest + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - emptyDir: {} + name: ca-bundles + resourceExclusions: |- + - apiGroups: + - tekton.dev + clusters: + - '*' + kinds: + - TaskRun + - PipelineRun + server: + autoscale: + enabled: false + grpc: + ingress: + enabled: false + ingress: + enabled: false + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 125m + memory: 128Mi + route: + enabled: true + service: + type: "" + sso: + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi + provider: dex + tls: + ca: {} +{{- end }}{{/* if hasInitContainerCapability */}} --- apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding diff --git a/common/acm/values.yaml b/common/acm/values.yaml index 1100bafd..c5f222c9 100644 --- a/common/acm/values.yaml +++ b/common/acm/values.yaml @@ -1,6 +1,6 @@ main: gitops: - channel: "gitops-1.8" + channel: "gitops-1.12" global: extraValueFiles: [] @@ -30,6 +30,15 @@ clusterGroup: # - name: clusterGroup # value: region-one +acm: + # Just used for IIB testing, drives the source and channel for the MCE + # subscription triggered by ACM + mce_operator: + source: redhat-operators + channel: null + + + secretStore: name: vault-backend kind: ClusterSecretStore diff --git a/common/ansible/playbooks/k8s_secrets/k8s_secrets.yml b/common/ansible/playbooks/k8s_secrets/k8s_secrets.yml new file mode 100644 index 00000000..989a498a --- /dev/null +++ b/common/ansible/playbooks/k8s_secrets/k8s_secrets.yml @@ -0,0 +1,9 @@ +--- +- name: Secrets parsing and direct loading + hosts: localhost + connection: local + gather_facts: false + roles: + - find_vp_secrets + - cluster_pre_check + - k8s_secret_utils diff --git a/common/ansible/playbooks/process_secrets/display_secrets_info.yml b/common/ansible/playbooks/process_secrets/display_secrets_info.yml new file mode 100644 index 00000000..4d972359 --- /dev/null +++ b/common/ansible/playbooks/process_secrets/display_secrets_info.yml @@ -0,0 +1,29 @@ +--- +- name: Parse and display secrets + hosts: localhost + connection: local + gather_facts: false + vars: + secrets_backing_store: "vault" + tasks: + # Set the VALUES_SECRET environment variable to the file to parse + - name: Find and decrypt secrets if needed + ansible.builtin.include_role: + name: find_vp_secrets + + # find_vp_secrets will return a plaintext data structure called values_secrets_data + # This will allow us to determine schema version and which backend to use + - name: Determine how to load secrets + ansible.builtin.set_fact: + secrets_yaml: '{{ values_secrets_data | from_yaml }}' + + - name: Parse secrets data + no_log: '{{ override_no_log | default(true) }}' + parse_secrets_info: + values_secrets_plaintext: "{{ values_secrets_data }}" + secrets_backing_store: "{{ secrets_backing_store }}" + register: secrets_results + + - name: Display secrets data + ansible.builtin.debug: + var: secrets_results diff --git a/common/ansible/playbooks/process_secrets/process_secrets.yml b/common/ansible/playbooks/process_secrets/process_secrets.yml new file mode 100644 index 00000000..ecc1b565 --- /dev/null +++ b/common/ansible/playbooks/process_secrets/process_secrets.yml @@ -0,0 +1,50 @@ +--- +- name: Parse and load secrets + hosts: localhost + connection: local + gather_facts: false + vars: + secrets_role: 'vault_utils' + pattern_name: 'common' + pattern_dir: '.' + secrets_backing_store: 'vault' + tasks_from: 'push_parsed_secrets' + tasks: + - name: "Run secret-loading pre-requisites" + ansible.builtin.include_role: + name: '{{ item }}' + loop: + - cluster_pre_check + - find_vp_secrets + + # find_vp_secrets will return a plaintext data structure called values_secrets_data + # This will allow us to determine schema version and which backend to use + - name: Determine how to load secrets + ansible.builtin.set_fact: + secrets_yaml: '{{ values_secrets_data | from_yaml }}' + + - name: Parse secrets data + no_log: '{{ override_no_log | default(true) }}' + parse_secrets_info: + values_secrets_plaintext: "{{ values_secrets_data }}" + secrets_backing_store: "{{ secrets_backing_store }}" + register: secrets_results + + # Use the k8s secrets loader when explicitly requested + - name: Determine role to use to load secrets + ansible.builtin.set_fact: + secrets_role: 'k8s_secret_utils' + tasks_from: 'inject_k8s_secrets' + when: + - secrets_backing_store == "kubernetes" or secrets_backing_store == "none" + - secrets_yaml['version'] | default('2.0') >= '2.0' + + # secrets_role will have been changed from the default if needed + - name: Load secrets using designated role and tasks + ansible.builtin.include_role: + name: '{{ secrets_role }}' + tasks_from: '{{ tasks_from }}' + vars: + kubernetes_secret_objects: "{{ secrets_results['kubernetes_secret_objects'] }}" + vault_policies: "{{ secrets_results['vault_policies'] }}" + parsed_secrets: "{{ secrets_results['parsed_secrets'] }}" diff --git a/common/ansible/playbooks/vault/vault.yaml b/common/ansible/playbooks/vault/vault.yaml index 64711e47..b0da9405 100644 --- a/common/ansible/playbooks/vault/vault.yaml +++ b/common/ansible/playbooks/vault/vault.yaml @@ -4,4 +4,6 @@ connection: local gather_facts: false roles: + - find_vp_secrets + - cluster_pre_check - vault_utils diff --git a/common/ansible/plugins/module_utils/load_secrets_common.py b/common/ansible/plugins/module_utils/load_secrets_common.py index 1652a287..b4ebc816 100644 --- a/common/ansible/plugins/module_utils/load_secrets_common.py +++ b/common/ansible/plugins/module_utils/load_secrets_common.py @@ -102,3 +102,23 @@ def get_ini_value(inifile, inisection, inikey): config = configparser.ConfigParser() config.read(inifile) return config.get(inisection, inikey, fallback=None) + + +def stringify_dict(input_dict): + """ + Return a dict whose keys and values are all co-erced to strings, for creating labels and annotations in the + python Kubernetes module + + Parameters: + input_dict(dict): A dictionary of keys and values + + Returns: + + obj: The same dict in the same order but with the keys coerced to str + """ + output_dict = {} + + for key, value in input_dict.items(): + output_dict[str(key)] = str(value) + + return output_dict diff --git a/common/ansible/plugins/module_utils/parse_secrets_v2.py b/common/ansible/plugins/module_utils/parse_secrets_v2.py new file mode 100644 index 00000000..512f75ef --- /dev/null +++ b/common/ansible/plugins/module_utils/parse_secrets_v2.py @@ -0,0 +1,527 @@ +# Copyright 2022, 2023 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Module that implements V2 of the values-secret.yaml spec +""" + +import base64 +import getpass +import os + +from ansible.module_utils.load_secrets_common import ( + find_dupes, + get_ini_value, + get_version, + stringify_dict, +) + +default_vp_vault_policies = { + "validatedPatternDefaultPolicy": ( + "length=20\n" + 'rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\n' + 'rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\n' + 'rule "charset" { charset = "0123456789" min-chars = 1 }\n' + 'rule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' + ) +} + +secret_store_namespace = "validated-patterns-secrets" + + +class ParseSecretsV2: + def __init__(self, module, syaml, secrets_backing_store): + self.module = module + self.syaml = syaml + self.secrets_backing_store = str(secrets_backing_store) + self.secret_store_namespace = None + self.parsed_secrets = {} + self.kubernetes_secret_objects = [] + self.vault_policies = {} + + def _get_backingstore(self): + """ + Backing store is now influenced by the caller more than the file. Setting + Return the backingStore: of the parsed yaml object. In most cases the file + key was not set anyway - since vault was the only supported option. Since + we are introducing new options now, this method of defining behavior is + deprecated, but if the file key is included it must match the option defined + by values-global in the pattern, or there is an error. The default remains + 'vault' if the key is unspecified. + + Returns: + ret(str): The value of the top-level 'backingStore:' key + """ + file_backing_store = str(self.syaml.get("backingStore", "unset")) + + if file_backing_store == "unset": + pass + else: + if file_backing_store != self.secrets_backing_store: + self.module.fail_json( + f"Secrets file specifies '{file_backing_store}' backend but pattern config " + f"specifies '{self.secrets_backing_store}'." + ) + + return self.secrets_backing_store + + def _get_vault_policies(self, enable_default_vp_policies=True): + # We start off with the hard-coded default VP policy and add the user-defined ones + if enable_default_vp_policies: + policies = default_vp_vault_policies.copy() + else: + policies = {} + + # This is useful for embedded newlines, which occur with YAML + # flow-type scalars (|, |- for example) + for name, policy in self.syaml.get("vaultPolicies", {}).items(): + policies[name] = self._sanitize_yaml_value(policy) + + return policies + + def _get_secrets(self): + return self.syaml.get("secrets", {}) + + def _get_field_on_missing_value(self, f): + # By default if 'onMissingValue' is missing we assume we need to + # error out whenever the value is missing + return f.get("onMissingValue", "error") + + def _get_field_value(self, f): + return f.get("value", None) + + def _get_field_path(self, f): + return f.get("path", None) + + def _get_field_ini_file(self, f): + return f.get("ini_file", None) + + def _get_field_annotations(self, f): + return f.get("annotations", {}) + + def _get_field_labels(self, f): + return f.get("labels", {}) + + def _get_field_kind(self, f): + # value: null will be interpreted with None, so let's just + # check for the existence of the field, as we use 'value: null' to say + # "we want a value/secret and not a file path" + found = [] + for i in ["value", "path", "ini_file"]: + if i in f: + found.append(i) + + if len(found) > 1: # you can only have one of value, path and ini_file + self.module.fail_json( + f"Both '{found[0]}' and '{found[1]}' cannot be used " + f"in field {f['name']}" + ) + + if len(found) == 0: + return "" + return found[0] + + def _get_field_prompt(self, f): + return f.get("prompt", None) + + def _get_field_base64(self, f): + return bool(f.get("base64", False)) + + def _get_field_override(self, f): + return bool(f.get("override", False)) + + def _get_secret_store_namespace(self): + return str(self.syaml.get("secretStoreNamespace", secret_store_namespace)) + + def _get_vault_prefixes(self, s): + return list(s.get("vaultPrefixes", ["hub"])) + + def _get_default_labels(self): + return self.syaml.get("defaultLabels", {}) + + def _get_default_annotations(self): + return self.syaml.get("defaultAnnotations", {}) + + def _append_kubernetes_secret(self, secret_obj): + self.kubernetes_secret_objects.append(secret_obj) + + def _sanitize_yaml_value(self, value): + # This is useful for embedded newlines, which occur with YAML + # flow-type scalars (|, |- for example) + if value is not None: + sanitized_value = bytes(value, "utf-8").decode("unicode_escape") + else: + sanitized_value = None + + return sanitized_value + + def _create_k8s_secret(self, sname, secret_type, namespace, labels, annotations): + return { + "type": secret_type, + "kind": "Secret", + "apiVersion": "v1", + "metadata": { + "name": sname, + "namespace": namespace, + "annotations": annotations, + "labels": labels, + }, + "stringData": {}, + } + + # This does what inject_secrets used to (mostly) + def parse(self): + self.sanitize_values() + self.vault_policies = self._get_vault_policies() + self.secret_store_namespace = self._get_secret_store_namespace() + backing_store = self._get_backingstore() + secrets = self._get_secrets() + + total_secrets = 0 # Counter for all the secrets uploaded + for s in secrets: + total_secrets += 1 + counter = 0 # This counter is to use kv put on first secret and kv patch on latter + sname = s.get("name") + fields = s.get("fields", []) + vault_prefixes = self._get_vault_prefixes(s) + secret_type = s.get("type", "Opaque") + vault_mount = s.get("vaultMount", "secret") + target_namespaces = s.get("targetNamespaces", []) + labels = stringify_dict(s.get("labels", self._get_default_labels())) + annotations = stringify_dict( + s.get("annotations", self._get_default_annotations()) + ) + + self.parsed_secrets[sname] = { + "name": sname, + "fields": {}, + "vault_mount": vault_mount, + "vault_policies": {}, + "vault_prefixes": vault_prefixes, + "override": [], + "generate": [], + "paths": {}, + "base64": [], + "ini_file": {}, + "type": secret_type, + "target_namespaces": target_namespaces, + "labels": labels, + "annotations": annotations, + } + + for i in fields: + self._inject_field(sname, i) + counter += 1 + + if backing_store == "kubernetes": + k8s_namespaces = [self._get_secret_store_namespace()] + else: + k8s_namespaces = target_namespaces + + for tns in k8s_namespaces: + k8s_secret = self._create_k8s_secret( + sname, secret_type, tns, labels, annotations + ) + k8s_secret["stringData"] = self.parsed_secrets[sname]["fields"] + self.kubernetes_secret_objects.append(k8s_secret) + + return total_secrets + + # This function could use some rewriting and it should call a specific validation function + # for each type (value, path, ini_file) + def _validate_field(self, f): + # These fields are mandatory + try: + _ = f["name"] + except KeyError: + return (False, f"Field {f} is missing name") + + on_missing_value = self._get_field_on_missing_value(f) + if on_missing_value not in ["error", "generate", "prompt"]: + return (False, f"onMissingValue: {on_missing_value} is invalid") + + value = self._get_field_value(f) + path = self._get_field_path(f) + ini_file = self._get_field_ini_file(f) + kind = self._get_field_kind(f) + if kind == "ini_file": + # if we are using ini_file then at least ini_key needs to be defined + # ini_section defaults to 'default' when omitted + ini_key = f.get("ini_key", None) + if ini_key is None: + return ( + False, + "ini_file requires at least ini_key to be defined", + ) + + # Test if base64 is a correct boolean (defaults to False) + _ = self._get_field_base64(f) + _ = self._get_field_override(f) + + vault_policy = f.get("vaultPolicy", None) + if vault_policy is not None and vault_policy not in self._get_vault_policies(): + return ( + False, + f"Secret has vaultPolicy set to {vault_policy} but no such policy exists", + ) + + if on_missing_value in ["error"]: + if ( + (value is None or len(value) < 1) + and (path is None or len(path) < 1) + and (ini_file is None or len(ini_file) < 1) + ): + return ( + False, + "Secret has onMissingValue set to 'error' and has neither value nor path nor ini_file set", + ) + if path is not None and not os.path.isfile(os.path.expanduser(path)): + return (False, f"Field has non-existing path: {path}") + + if ini_file is not None and not os.path.isfile( + os.path.expanduser(ini_file) + ): + return (False, f"Field has non-existing ini_file: {ini_file}") + + if on_missing_value in ["prompt"]: + # When we prompt, the user needs to set one of the following: + # - value: null # prompt for a secret without a default value + # - value: 123 # prompt for a secret but use a default value + # - path: null # prompt for a file path without a default value + # - path: /tmp/ca.crt # prompt for a file path with a default value + if "value" not in f and "path" not in f: + return ( + False, + "Secret has onMissingValue set to 'prompt' but has no value nor path fields", + ) + + if "override" in f: + return ( + False, + "'override' attribute requires 'onMissingValue' to be set to 'generate'", + ) + + return (True, "") + + def _validate_secrets(self): + backing_store = self._get_backingstore() + secrets = self._get_secrets() + if len(secrets) == 0: + self.module.fail_json("No secrets found") + + names = [] + for s in secrets: + # These fields are mandatory + for i in ["name"]: + try: + _ = s[i] + except KeyError: + return (False, f"Secret {s['name']} is missing {i}") + names.append(s["name"]) + + vault_prefixes = s.get("vaultPrefixes", ["hub"]) + # This checks for the case when vaultPrefixes: is specified but empty + if vault_prefixes is None or len(vault_prefixes) == 0: + return (False, f"Secret {s['name']} has empty vaultPrefixes") + + namespaces = s.get("targetNamespaces", []) + if not isinstance(namespaces, list): + return (False, f"Secret {s['name']} targetNamespaces must be a list") + + if backing_store == "none" and namespaces == []: + return ( + False, + f"Secret {s['name']} targetNamespaces cannot be empty for secrets backend {backing_store}", + ) # noqa: E501 + + labels = s.get("labels", {}) + if not isinstance(labels, dict): + return (False, f"Secret {s['name']} labels must be a dictionary") + + annotations = s.get("annotations", {}) + if not isinstance(annotations, dict): + return (False, f"Secret {s['name']} annotations must be a dictionary") + + fields = s.get("fields", []) + if len(fields) == 0: + return (False, f"Secret {s['name']} does not have any fields") + + field_names = [] + for i in fields: + (ret, msg) = self._validate_field(i) + if not ret: + return (False, msg) + field_names.append(i["name"]) + field_dupes = find_dupes(field_names) + if len(field_dupes) > 0: + return (False, f"You cannot have duplicate field names: {field_dupes}") + + dupes = find_dupes(names) + if len(dupes) > 0: + return (False, f"You cannot have duplicate secret names: {dupes}") + return (True, "") + + def sanitize_values(self): + """ + Sanitizes the secrets YAML object version 2.0 + + Parameters: + + Returns: + Nothing: Updates self.syaml(obj) if needed + """ + v = get_version(self.syaml) + if v not in ["2.0"]: + self.module.fail_json(f"Version is not 2.0: {v}") + + backing_store = self._get_backingstore() + if backing_store not in [ + "kubernetes", + "vault", + "none", + ]: # we currently only support vault + self.module.fail_json( + f"Currently only the 'vault', 'kubernetes' and 'none' backingStores are supported: {backing_store}" + ) + + (ret, msg) = self._validate_secrets() + if not ret: + self.module.fail_json(msg) + + def _get_secret_value(self, name, field): + on_missing_value = self._get_field_on_missing_value(field) + # We cannot use match + case as RHEL8 has python 3.9 (it needs 3.10) + # We checked for errors in _validate_secrets() already + if on_missing_value == "error": + return self._sanitize_yaml_value(field.get("value")) + elif on_missing_value == "prompt": + prompt = self._get_field_prompt(field) + if prompt is None: + prompt = f"Type secret for {name}/{field['name']}: " + value = self._get_field_value(field) + if value is not None: + prompt += f" [{value}]" + prompt += ": " + return getpass.getpass(prompt) + return None + + def _get_file_path(self, name, field): + on_missing_value = self._get_field_on_missing_value(field) + if on_missing_value == "error": + return os.path.expanduser(field.get("path")) + elif on_missing_value == "prompt": + prompt = self._get_field_prompt(field) + path = self._get_field_path(field) + if path is None: + path = "" + + if prompt is None: + text = f"Type path for file {name}/{field['name']} [{path}]: " + else: + text = f"{prompt} [{path}]: " + + newpath = getpass.getpass(text) + if newpath == "": # Set the default if no string was entered + newpath = path + + if os.path.isfile(os.path.expanduser(newpath)): + return newpath + self.module.fail_json(f"File {newpath} not found, exiting") + + self.module.fail_json("File with wrong onMissingValue") + + def _inject_field(self, secret_name, f): + on_missing_value = self._get_field_on_missing_value(f) + override = self._get_field_override(f) + kind = self._get_field_kind(f) + b64 = self._get_field_base64(f) + + if kind in ["value", ""]: + if on_missing_value == "generate": + self.parsed_secrets[secret_name]["generate"].append(f["name"]) + if self._get_backingstore() != "vault": + self.module.fail_json( + "You cannot have onMissingValue set to 'generate' unless using vault backingstore " + f"for secret {secret_name} field {f['name']}" + ) + else: + if kind in ["path", "ini_file"]: + self.module.fail_json( + "You cannot have onMissingValue set to 'generate' with a path or ini_file" + f" for secret {secret_name} field {f['name']}" + ) + + vault_policy = f.get("vaultPolicy", "validatedPatternDefaultPolicy") + + if override: + self.parsed_secrets[secret_name]["override"].append(f["name"]) + + if b64: + self.parsed_secrets[secret_name]["base64"].append(f["name"]) + + self.parsed_secrets[secret_name]["fields"][f["name"]] = None + self.parsed_secrets[secret_name]["vault_policies"][ + f["name"] + ] = vault_policy + + return + + # If we're not generating the secret inside the vault directly we either read it from the file ("error") + # or we are prompting the user for it + secret = self._get_secret_value(secret_name, f) + if b64: + secret = base64.b64encode(secret.encode()).decode("utf-8") + self.parsed_secrets[secret_name]["base64"].append(f["name"]) + + self.parsed_secrets[secret_name]["fields"][f["name"]] = secret + + elif kind == "path": # path. we upload files + path = self._get_file_path(secret_name, f) + self.parsed_secrets[secret_name]["paths"][f["name"]] = path + + binfile = False + + # Default to UTF-8 + try: + secret = open(path, encoding="utf-8").read() + except UnicodeDecodeError: + secret = open(path, "rb").read() + binfile = True + + if b64: + self.parsed_secrets[secret_name]["base64"].append(f["name"]) + if binfile: + secret = base64.b64encode(bytes(secret)).decode("utf-8") + else: + secret = base64.b64encode(secret.encode()).decode("utf-8") + + self.parsed_secrets[secret_name]["fields"][f["name"]] = secret + elif kind == "ini_file": # ini_file. we parse an ini_file + ini_file = os.path.expanduser(f.get("ini_file")) + ini_section = f.get("ini_section", "default") + ini_key = f.get("ini_key") + secret = get_ini_value(ini_file, ini_section, ini_key) + if b64: + self.parsed_secrets[secret_name]["base64"].append(f["name"]) + secret = base64.b64encode(secret.encode()).decode("utf-8") + + self.parsed_secrets[secret_name]["ini_file"][f["name"]] = { + "ini_file": ini_file, + "ini_section": ini_section, + "ini_key": ini_key, + } + self.parsed_secrets[secret_name]["fields"][f["name"]] = secret + + return diff --git a/common/ansible/plugins/modules/parse_secrets_info.py b/common/ansible/plugins/modules/parse_secrets_info.py new file mode 100644 index 00000000..b962271a --- /dev/null +++ b/common/ansible/plugins/modules/parse_secrets_info.py @@ -0,0 +1,149 @@ +# Copyright 2022,2023 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Ansible plugin module that loads secrets from a yaml file and pushes them +inside the HashiCorp Vault in an OCP cluster. The values-secrets.yaml file is +expected to be in the following format: +--- +# version is optional. When not specified it is assumed it is 1.0 +version: 1.0 + +# These secrets will be pushed in the vault at secret/hub/test The vault will +# have secret/hub/test with secret1 and secret2 as keys with their associated +# values (secrets) +secrets: + test: + secret1: foo + secret2: bar + +# This will create the vault key secret/hub/testfoo which will have two +# properties 'b64content' and 'content' which will be the base64-encoded +# content and the normal content respectively +files: + testfoo: ~/ca.crt + +# These secrets will be pushed in the vault at secret/region1/test The vault will +# have secret/region1/test with secret1 and secret2 as keys with their associated +# values (secrets) +secrets.region1: + test: + secret1: foo1 + secret2: bar1 + +# This will create the vault key secret/region2/testbar which will have two +# properties 'b64content' and 'content' which will be the base64-encoded +# content and the normal content respectively +files.region2: + testbar: ~/ca.crt +""" + +import yaml +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.parse_secrets_v2 import ParseSecretsV2 + +ANSIBLE_METADATA = { + "metadata_version": "1.2", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = """ +--- +module: parse_secrets_info +short_description: Parses a Validated Patterns Secrets file for later loading +version_added: "2.50" +author: "Martin Jackson" +description: + - Takes a values-secret.yaml file, parses and returns values for secrets loading. The goal here is to do all the + work of reading and interpreting the file and resolving the content pointers (that is, creating content where it + is given) such that that content is then available for secrets vaults to load. It does not attempt to load the + content or interpret the content beyond the conventions of the file format. (So, it knows how to retrieve + ini-keys, about paths, and about base64 but leaves interaction with backends to backend-specific code. +options: + values_secrets_plaintext: + description: + - The unencrypted content of the values-secrets file + required: true + type: str + secrets_backing_store: + description: + - The secrets backing store that will be used for parsed secrets (i.e. vault, kubernetes, none) + required: false + default: vault + type: str +""" + +RETURN = """ +""" + +EXAMPLES = """ +- name: Parse secrets file into objects - backingstore defaults to vault + parse_secrets_info: + values_secrets_plaintext: '{{ }}' + register: secrets_info + +- name: Parse secrets file into data structures + parse_secrets_info: + values_secrets_plaintext: '{{ }}' + secrets_backing_store: 'kubernetes' + register: secrets_info + +- name: Parse secrets file into data structures + parse_secrets_info: + values_secrets_plaintext: '{{ }}' + secrets_backing_store: 'none' + register: secrets_info +""" + + +def run(module): + """Main ansible module entry point""" + results = dict(changed=False) + + args = module.params + values_secrets_plaintext = args.get("values_secrets_plaintext", "") + secrets_backing_store = args.get("secrets_backing_store", "vault") + + syaml = yaml.safe_load(values_secrets_plaintext) + + if syaml is None: + syaml = {} + + parsed_secret_obj = ParseSecretsV2(module, syaml, secrets_backing_store) + parsed_secret_obj.parse() + + results["failed"] = False + results["changed"] = False + + results["vault_policies"] = parsed_secret_obj.vault_policies + results["parsed_secrets"] = parsed_secret_obj.parsed_secrets + results["kubernetes_secret_objects"] = parsed_secret_obj.kubernetes_secret_objects + results["secret_store_namespace"] = parsed_secret_obj.secret_store_namespace + + module.exit_json(**results) + + +def main(): + """Main entry point where the AnsibleModule class is instantiated""" + module = AnsibleModule( + argument_spec=yaml.safe_load(DOCUMENTATION)["options"], + supports_check_mode=True, + ) + run(module) + + +if __name__ == "__main__": + main() diff --git a/common/ansible/plugins/modules/vault_load_parsed_secrets.py b/common/ansible/plugins/modules/vault_load_parsed_secrets.py new file mode 100644 index 00000000..cfcf9732 --- /dev/null +++ b/common/ansible/plugins/modules/vault_load_parsed_secrets.py @@ -0,0 +1,302 @@ +# Copyright 2022 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Ansible plugin module that loads secrets and policies once parsed and pushes them +into a HashiCorp Vault in an OCP cluster. The values-secrets.yaml file is +expected to be in the following format: +--- +# version is optional. When not specified it is assumed it is 2.0 +version: 2.0 + +""" + +import os +import time + +import yaml +from ansible.module_utils.basic import AnsibleModule + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = """ +--- +module: vault_load_parsed_secrets +short_description: Loads secrets into the HashiCorp Vault +version_added: "2.50" +author: "Martin Jackson" +description: + - Takes parsed secrets objects and vault policies (as delivered by parse_secrets_info) and runs the commands to + load them into a vault instance. The relevent metadata will exist in the parsed secrets object. Returns count + of secrets injected. +options: + parsed_secrets: + description: + - A structure containing the secrets, fields, and their metadata + required: true + type: dict + vault_policies: + description: + - Vault policies to inject into the instance. + required: true + type: dict + namespace: + description: + - Namespace where the vault is running + required: false + type: str + default: vault + pod: + description: + - Name of the vault pod to use to inject secrets + required: false + type: str + default: vault-0 +""" + +RETURN = """ +""" + +EXAMPLES = """ +- name: Loads secrets file into the vault of a cluster + vault_load_parsed_secrets: + parsed_secrets: "{{ parsed_secrets_structure_from_parse_secrets_info }}" + vault_policies: "{{ parsed_vault_policies_structure_from_parse_secrets_info }}" +""" + + +class VaultSecretLoader: + def __init__( + self, + module, + parsed_secrets, + vault_policies, + namespace, + pod, + ): + self.module = module + self.parsed_secrets = parsed_secrets + self.vault_policies = vault_policies + self.namespace = namespace + self.pod = pod + + def _run_command(self, command, attempts=1, sleep=3, checkrc=True): + """ + Runs a command on the host ansible is running on. A failing command + will raise an exception in this function directly (due to check=True) + + Parameters: + command(str): The command to be run. + attempts(int): Number of times to retry in case of Error (defaults to 1) + sleep(int): Number of seconds to wait in between retry attempts (defaults to 3s) + + Returns: + ret(subprocess.CompletedProcess): The return value from run() + """ + for attempt in range(attempts): + ret = self.module.run_command( + command, + check_rc=checkrc, + use_unsafe_shell=True, + environ_update=os.environ.copy(), + ) + if ret[0] == 0: + return ret + if attempt >= attempts - 1: + return ret + time.sleep(sleep) + + def _vault_secret_attr_exists(self, mount, prefix, secret_name, attribute): + cmd = ( + f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " + f'"vault kv get -mount={mount} -field={attribute} {prefix}/{secret_name}"' + ) + # we ignore stdout and stderr + (ret, _, _) = self._run_command(cmd, attempts=1, checkrc=False) + if ret == 0: + return True + + return False + + def load_vault(self): + injected_secret_count = 0 + + self.inject_vault_policies() + + for secret_name, secret in self.parsed_secrets.items(): + self.inject_secret(secret_name, secret) + injected_secret_count += 1 + + return injected_secret_count + + def inject_field( + self, + secret_name, + soverride, + sbase64, + sgenerate, + spaths, + svault_policies, + fieldname, + fieldvalue, + mount, + vault_prefixes, + first=False, + ): + # Special cases: + # generate w|wo override + # path (w|wo b64) + # + # inifile secrets will be resolved by parser + # values (including base64'd ones) will be resolved by parser + # And we just ignore k8s or other fields + + override = True if fieldname in soverride else False + b64 = True if fieldname in sbase64 else False + generate = True if fieldname in sgenerate else False + path = spaths.get(fieldname, False) + prefixes = vault_prefixes + verb = "put" if first else "patch" + policy = svault_policies.get(fieldname, False) + + # "generate" secrets are created with policies and may be overridden or not + if generate: + gen_cmd = ( + f"vault read -field=password sys/policies/password/{policy}/generate" + ) + if b64: + gen_cmd += " | base64 --wrap=0" + for prefix in prefixes: + # if the override field is False and the secret attribute exists at the prefix then we just + # skip, as we do not want to overwrite the existing secret + if not override and self._vault_secret_attr_exists( + mount, prefix, secret_name, fieldname + ): + continue + cmd = ( + f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " + f'"{gen_cmd} | vault kv {verb} -mount={mount} {prefix}/{secret_name} {fieldname}=-"' + ) + self._run_command(cmd, attempts=3) + return + + if path: + for prefix in prefixes: + if b64: + b64_cmd = "| base64 --wrap=0" + else: + b64_cmd = "" + cmd = ( + f"cat '{path}' | oc exec -n {self.namespace} {self.pod} -i -- sh -c " + f"'cat - {b64_cmd}> /tmp/vcontent'; " + f"oc exec -n {self.namespace} {self.pod} -i -- sh -c '" + f"vault kv {verb} -mount={mount} {prefix}/{secret_name} {fieldname}=@/tmp/vcontent; " + f"rm /tmp/vcontent'" + ) + self._run_command(cmd, attempts=3) + return + + for prefix in prefixes: + cmd = ( + f"oc exec -n {self.namespace} {self.pod} -i -- sh -c " + f"\"vault kv {verb} -mount={mount} {prefix}/{secret_name} {fieldname}='{fieldvalue}'\"" + ) + self._run_command(cmd, attempts=3) + return + + def inject_secret(self, secret_name, secret): + mount = secret.get("vault_mount", "secret") + vault_prefixes = secret.get("vault_prefixes", ["hub"]) + + counter = 0 + # In this structure, each field will have one value + for fname, fvalue in secret.get("fields").items(): + self.inject_field( + secret_name=secret_name, + soverride=secret["override"], + sbase64=secret["base64"], + sgenerate=secret["generate"], + spaths=secret["paths"], + svault_policies=secret["vault_policies"], + fieldname=fname, + fieldvalue=fvalue, + mount=mount, + vault_prefixes=vault_prefixes, + first=counter == 0, + ) + counter += 1 + return + + def inject_vault_policies(self): + for name, policy in self.vault_policies.items(): + cmd = ( + f"echo '{policy}' | oc exec -n {self.namespace} {self.pod} -i -- sh -c " + f"'cat - > /tmp/{name}.hcl';" + f"oc exec -n {self.namespace} {self.pod} -i -- sh -c 'vault write sys/policies/password/{name} " + f" policy=@/tmp/{name}.hcl'" + ) + self._run_command(cmd, attempts=3) + + +def run(module): + """Main ansible module entry point""" + results = dict(changed=False) + + args = module.params + + vault_policies = args.get("vault_policies", {}) + parsed_secrets = args.get("parsed_secrets", {}) + namespace = args.get("namespace", "vault") + pod = args.get("pod", "vault-0") + + if vault_policies == {}: + results["failed"] = True + module.fail_json("Must pass vault_policies") + + if parsed_secrets == {}: + results["failed"] = True + module.fail_json("Must pass parsed_secrets") + + loader = VaultSecretLoader( + module, + parsed_secrets, + vault_policies, + namespace, + pod, + ) + + nr_secrets = loader.load_vault() + + results["failed"] = False + results["changed"] = True + results["msg"] = f"{nr_secrets} secrets injected" + module.exit_json(**results) + + +def main(): + """Main entry point where the AnsibleModule class is instantiated""" + module = AnsibleModule( + argument_spec=yaml.safe_load(DOCUMENTATION)["options"], + supports_check_mode=False, + ) + run(module) + + +if __name__ == "__main__": + main() diff --git a/common/ansible/roles/cluster_pre_check/defaults/main.yml b/common/ansible/roles/cluster_pre_check/defaults/main.yml new file mode 100644 index 00000000..fd6cdd5c --- /dev/null +++ b/common/ansible/roles/cluster_pre_check/defaults/main.yml @@ -0,0 +1,3 @@ +--- +kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" +kubeconfig_backup: "{{ lookup('env', 'HOME') }}/.kube/config" diff --git a/common/ansible/roles/vault_utils/tasks/pre_check.yaml b/common/ansible/roles/cluster_pre_check/tasks/main.yml similarity index 100% rename from common/ansible/roles/vault_utils/tasks/pre_check.yaml rename to common/ansible/roles/cluster_pre_check/tasks/main.yml diff --git a/common/ansible/roles/find_vp_secrets/tasks/main.yml b/common/ansible/roles/find_vp_secrets/tasks/main.yml new file mode 100644 index 00000000..ce847a01 --- /dev/null +++ b/common/ansible/roles/find_vp_secrets/tasks/main.yml @@ -0,0 +1,87 @@ +--- +# Once V1 support is dropped we can remove the whole secret_template support +- name: Set secret_template fact + no_log: "{{ override_no_log | default(true) }}" + ansible.builtin.set_fact: + secret_template: "{{ pattern_dir }}/values-secret.yaml.template" + +- name: Is a VALUES_SECRET env variable set? + ansible.builtin.set_fact: + custom_env_values_secret: "{{ lookup('ansible.builtin.env', 'VALUES_SECRET') }}" + +- name: Check if VALUES_SECRET file exists + ansible.builtin.stat: + path: "{{ custom_env_values_secret }}" + register: custom_file_values_secret + when: custom_env_values_secret | default('') | length > 0 + +- name: Set values-secret yaml file to {{ custom_file_values_secret.stat.path }} + ansible.builtin.set_fact: + found_file: "{{ custom_file_values_secret.stat.path }}" + when: + - custom_env_values_secret | default('') | length > 0 + - custom_file_values_secret.stat.exists + +# FIXME(bandini): Eventually around end of 2023(?) we should drop +# ~/values-secret-{{ pattern_name }}.yaml and ~/values-secret.yaml +- name: Find first existing values-secret yaml file + ansible.builtin.set_fact: + found_file: "{{ lookup('ansible.builtin.first_found', findme) }}" + vars: + findme: + - "~/.config/hybrid-cloud-patterns/values-secret-{{ pattern_name }}.yaml" + - "~/.config/validated-patterns/values-secret-{{ pattern_name }}.yaml" + - "~/values-secret-{{ pattern_name }}.yaml" + - "~/values-secret.yaml" + - "{{ pattern_dir }}/values-secret.yaml.template" + when: custom_env_values_secret | default('') | length == 0 + +- name: Is found values secret file encrypted + no_log: "{{ override_no_log | default(true) }}" + ansible.builtin.shell: | + set -o pipefail + head -1 "{{ found_file }}" | grep -q \$ANSIBLE_VAULT + changed_when: false + register: encrypted + failed_when: (encrypted.rc not in [0, 1]) + +# When HOME is set we replace it with '~' in this debug message +# because when run from inside the container the HOME is /pattern-home +# which is confusing for users +- name: Is found values secret file encrypted + ansible.builtin.debug: + msg: "Using {{ (lookup('env', 'HOME') | length > 0) | ternary(found_file | regex_replace('^' + lookup('env', 'HOME'), '~'), found_file) }} to parse secrets" + +- name: Set encryption bool fact + no_log: "{{ override_no_log | default(true) }}" + ansible.builtin.set_fact: + is_encrypted: "{{ encrypted.rc == 0 | bool }}" + +- name: Get password for "{{ found_file }}" + ansible.builtin.pause: + prompt: "Input the password for {{ found_file }}" + echo: false + when: is_encrypted + register: vault_pass + +- name: Get decrypted content if {{ found_file }} was encrypted + no_log: "{{ override_no_log | default(true) }}" + ansible.builtin.shell: + ansible-vault view --vault-password-file <(cat <<<"{{ vault_pass.user_input }}") "{{ found_file }}" + register: values_secret_plaintext + when: is_encrypted + changed_when: false + +- name: Normalize secrets format (un-encrypted) + no_log: '{{ override_no_log | default(true) }}' + ansible.builtin.set_fact: + values_secrets_data: "{{ lookup('file', found_file) | from_yaml }}" + when: not is_encrypted + changed_when: false + +- name: Normalize secrets format (encrypted) + no_log: '{{ override_no_log | default(true) }}' + ansible.builtin.set_fact: + values_secrets_data: "{{ values_secret_plaintext.stdout | from_yaml }}" + when: is_encrypted + changed_when: false diff --git a/common/ansible/roles/iib_ci/README.md b/common/ansible/roles/iib_ci/README.md index 98355ad9..36784ed5 100644 --- a/common/ansible/roles/iib_ci/README.md +++ b/common/ansible/roles/iib_ci/README.md @@ -38,6 +38,8 @@ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patc oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}' ``` +### Gitops operator + Then in case of the `openshift-gitops-operator` we would install with: ```sh @@ -45,35 +47,42 @@ export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=ii make EXTRA_HELM_OPTS="--set main.gitops.operatorSource=iib-${IIB} --set main.gitops.channel=${CHANNEL}" install ``` -To install ACM (`export OPERATOR=advanced-cluster-management`) or any other -operator (except the gitops one) from an IIB we would call the following as a -final step: +### ACM operator + +The advanced-cluster-management operator is a little bit more complex than the others because it +also installes another operator called MCE multicluster-engine. So to install ACM you typically +need two IIBs (one for acm and one for mce). With those two at hand, do the following (the ordering must be +consistent: the first IIB corresponds to the first OPERATOR, etc). ```sh -export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}') -make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions.acm.source --set main.extraParameters[0].value=iib-${IIB} --set main.extraParameters[1].name=clusterGroup.subscriptions.acm.channel --set main.extraParameters[1].value=${CHANNEL}" install +export OPERATOR=advanced-cluster-management,multicluster-engine +export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:713808,registry-proxy.engineering.redhat.com/rh-osbs/iib:718034 +make load-iib ``` -*Note*: In this case `acm` is the name of the subscription in `values-hub.yaml` - -### OCP 4.13 and onwards +Once the IIBs are loaded into the cluster we need to run the following steps: -Since 4.13 supports an internal registry that can cope with v2 docker manifests, we -use that. Run `make iib` with the following environment variables set: +```sh +export ACM_CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-713808" --field-selector "metadata.name=advanced-cluster-management" -o jsonpath='{.items[0].status.defaultChannel}') +export MCE_CHANNEL=$(oc get -n openshift-margetplace packagemanifests -l "catalog=iib-718034" --field-selector "metadata.name=multicluster-engine" -o jsonpath='{.items[0].status.defaultChannel}') +make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions.acm.source --set main.extraParameters[0].value=iib-713808 \ + --set main.extraParameters[1].name=clusterGroup.subscriptions.acm.channel --set main.extraParameters[1].value=${ACM_CHANNEL} \ + --set main.extraParameters[2].name=acm.mce_operator.source --set main.extraParameters[2].value="iib-718034" \ + --set main.extraParameters[3].name=acm.mce_operator.channel --set main.extraParameters[3].value=${MCE_CHANNEL}" install +``` -* `INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:492329` -* `KUBEADMINPASS="11111-22222-33333-44444"` +*Note*: In this case the `acm` in `clusterGroup.subscriptions.acm.*` is the name of the key in the subscriptions in `values-hub.yaml` -### OCP 4.12 and previous versions +### Other operators -Due to the lack of v2 manifest support on the internal registry, we use an external -registry. Run `make iib` with the following environment variables set: +To install operators other than gitops and acm do the following: -* `INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:492329` -* `REGISTRY=quay.io/rhn_support_mbaldess/iib` -* `REGISTRY_TOKEN=:` +```sh +export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}') +make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions..source --set main.extraParameters[0].value=iib-${IIB} --set main.extraParameters[1].name=clusterGroup.subscriptions..channel --set main.extraParameters[1].value=${CHANNEL}" install +``` -*Note*: For the REGISTRY_TOKEN go to your quay repository, add a robot with "Write" permissions. The robot created will have a "username" and "password" fields. Set the REGISTRY_TOKEN environment variable to that value. +*Note*: Replace `` with the actual name of the subscription dictionary in `values-hub.yaml` ## Useful commands diff --git a/common/ansible/roles/iib_ci/defaults/main.yml b/common/ansible/roles/iib_ci/defaults/main.yml index 7605dba5..397be608 100644 --- a/common/ansible/roles/iib_ci/defaults/main.yml +++ b/common/ansible/roles/iib_ci/defaults/main.yml @@ -1,9 +1,5 @@ rh_internal_registry: registry-proxy.engineering.redhat.com -iib_image: "{{ lookup('env', 'INDEX_IMAGE') }}" - -external_registry: "{{ lookup('env', 'REGISTRY') }}" -external_registry_token: "{{ lookup('env', 'REGISTRY_TOKEN') }}" -external_registry_email: noemail@localhost +iib_images: "{{ lookup('env', 'INDEX_IMAGES') }}" kubeadminpass: "{{ lookup('env', 'KUBEADMINPASS') }}" diff --git a/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml b/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml index 11df26cc..391f2ac2 100644 --- a/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml +++ b/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml @@ -2,9 +2,9 @@ # the operator name is defined in the variable "item". This # set of tasks is to be included in a loop that goes over the # needed operators -- name: Get default channel in the IIB for "{{ item }}" +- name: Get default channel in the IIB for "{{ item.key }}" ansible.builtin.shell: | - oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ item }}" \ + oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ item.value['iib'] }}" --field-selector "metadata.name={{ item.key }}" \ -o jsonpath='{.items[0].status.defaultChannel}' register: default_channel_raw retries: 10 @@ -15,9 +15,13 @@ ansible.builtin.set_fact: default_channel: "{{ default_channel_raw.stdout }}" -- name: Get all related images in the IIB for "{{ item }}" +- name: Print default channel + ansible.builtin.debug: + msg: "Default channel for {{ item.key }}: {{ default_channel }}" + +- name: Get all related images in the IIB for "{{ item.key }}" ansible.builtin.shell: | - oc get packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ item }}" \ + oc get packagemanifests -l "catalog=iib-{{ item.value['iib'] }}" --field-selector "metadata.name={{ item.key }}" \ -o jsonpath="{.items[0].status.channels[?(@.name==\"{{ default_channel }}\")].currentCSVDesc.relatedImages}" register: related_images_raw retries: 5 @@ -29,7 +33,7 @@ related_images: "{{ related_images_raw.stdout }}" # NOTE(bandini) -# The following code is here to fund out what the operator bundle image is and to make +# The following code is here to find out what the operator bundle image is and to make # sure it is on the internal registry. # This is all potentially hacky, but so far I could not find a single place in the cluster # where the olm.bundle image is available. The info is in there in the IIB, but it certainly @@ -37,7 +41,7 @@ # alpha commands inside the IIB image locally - name: Pull the IIB locally ansible.builtin.command: - podman pull "{{ iib_image }}" + podman pull "{{ item.value['iib_image'] }}" # $ opm alpha list channels /configs advanced-cluster-management # PACKAGE CHANNEL HEAD @@ -46,7 +50,7 @@ - name: Read the operator bundle from the default channel ansible.builtin.shell: | set -o pipefail - podman run -it --rm "{{ iib_image }}" alpha list channels /configs "{{ item }}" | grep -E "(\s){{ default_channel }}(\s)" | awk '{ print $3 }' + podman run -it --rm "{{ item.value['iib_image'] }}" alpha list channels /configs "{{ item.key }}" | grep -E "(\s){{ default_channel }}(\s)" | awk '{ print $3 }' register: bundle_channel_raw - name: Set bundle fact @@ -70,7 +74,7 @@ - name: Get bundle image ansible.builtin.shell: | set -o pipefail - podman run -it --rm "{{ iib_image }}" alpha list bundles /configs "{{ item }}" | grep -e "{{ default_channel }}\s\+{{ bundle_channel }}" | awk '{ print $NF }' + podman run -it --rm "{{ item.value['iib_image'] }}" alpha list bundles /configs "{{ item.key }}" | grep -e "{{ default_channel }}\s\+{{ bundle_channel }}" | awk '{ print $NF }' register: bundle_image_raw - name: Set bundle image fact diff --git a/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml b/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml index 4b39184c..76a649b2 100644 --- a/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml +++ b/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml @@ -1,3 +1,7 @@ +- name: Set IIB local folder fact + ansible.builtin.set_fact: + iib_local_folder: "/tmp/manifest-{{ item.value['iib'] }}" + - name: Remove manifest folder "{{ iib_local_folder }}" ansible.builtin.file: path: "{{ iib_local_folder }}" @@ -16,14 +20,14 @@ - name: Mirror catalog manifests only to "{{ iib_local_folder }}" ansible.builtin.shell: | oc adm catalog mirror --insecure --manifests-only --to-manifests=. \ - "{{ iib_image }}" "{{ rh_internal_registry }}/rh-osbs" > catalog.log 2>&1 + "{{ item.value['iib_image'] }}" "{{ rh_internal_registry }}/rh-osbs" > catalog.log 2>&1 args: chdir: "{{ iib_local_folder }}" - name: Mirror IIB to "{{ mirror_iib }}" ansible.builtin.shell: | oc image mirror -a "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" \ - "{{ iib_image }}={{ mirror_iib }}" --insecure --keep-manifest-list 2>&1 + "{{ item.value['iib_image'] }}={{ mirror_iib }}" --insecure --keep-manifest-list 2>&1 args: chdir: "{{ iib_local_folder }}" register: oc_mirror_result @@ -43,7 +47,7 @@ - name: Wait for catalogsource to show up ansible.builtin.shell: | - oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ operator }}" \ + oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ item.value['iib'] }}" --field-selector "metadata.name={{ item.key }}" \ -o jsonpath='{.items[0].status.defaultChannel}' register: oc_catalogsource_result retries: 30 diff --git a/common/ansible/roles/iib_ci/tasks/main.yml b/common/ansible/roles/iib_ci/tasks/main.yml index ba6eb7c8..fcaad76a 100644 --- a/common/ansible/roles/iib_ci/tasks/main.yml +++ b/common/ansible/roles/iib_ci/tasks/main.yml @@ -1,16 +1,16 @@ -- name: Check that INDEX_IMAGE env variable is set +- name: Check for pre-requisite binaries presence + ansible.builtin.shell: | + which "{{ item }}" + with_items: + - skopeo + - oc + - podman + +- name: Check that INDEX_IMAGES env variable is set ansible.builtin.fail: - msg: "INDEX_IMAGE: '{{ iib_image }}' is not set" + msg: "INDEX_IMAGES: '{{ iib_images }}' is not set" failed_when: - (iib_image is not defined or iib_image | length == 0) - -- name: Set IIB fact - ansible.builtin.set_fact: - iib: "{{ iib_image.split(':')[1] }}" - -- name: Set IIB local folder fact - ansible.builtin.set_fact: - iib_local_folder: "/tmp/manifest-{{ iib }}" + (iib_images is not defined or iib_images | length == 0) - name: Get cluster version # E.g. 4.13.0-rc.6 or 4.12.16 @@ -21,21 +21,51 @@ - name: Is OCP pre OCP 4.13? (aka registry supports v2 manifests) ansible.builtin.set_fact: - use_internal_registry: "{{ oc_version_raw.stdout is version('4.13', '>=') }}" + ocp_413: "{{ oc_version_raw.stdout is version('4.13', '>=') }}" + +- name: Fail if OCP < 4.13 as we do not support it for IIB testing any longer + ansible.builtin.fail: + msg: "OCP versions < 4.13 are not support for IIB loading" + when: not ocp_413 + +- name: Set images array + ansible.builtin.set_fact: + iib_image_list: "{{ iib_images.split(',') }}" + +- name: Set operator array + ansible.builtin.set_fact: + operator_list: "{{ operator.split(',') }}" + +# Creates a dict like: +# "advanced-cluster-management": { +# "iib": "713808", +# "iib_image": "registry-proxy.engineering.redhat.com/rh-osbs/iib:713808" +# }, +# "multicluster-engine": { +# "iib": "713809", +# "iib_image": "registry-proxy.engineering.redhat.com/rh-osbs/iib:713809" +# } +- name: Set IIB dict + ansible.builtin.set_fact: + iib_dict: "{{ iib_dict | default({}) | combine({item.0: {'iib_image': item.1, 'iib': item.1.split(':')[-1]}}) }}" + with_together: + - "{{ operator_list }}" + - "{{ iib_image_list }}" + +- name: Working with the following IIB data + ansible.builtin.debug: + msg: "{{ iib_dict }}" - name: Set up internal registry (OCP >= 4.13) ansible.builtin.include_tasks: setup-internal-registry.yml - when: use_internal_registry - -- name: Set up external registry (OCP < 4.13) - ansible.builtin.include_tasks: setup-external-registry.yml - when: not use_internal_registry - name: Install new IIB in cluster ansible.builtin.include_tasks: install-iib-in-cluster.yml + with_items: "{{ iib_dict | dict2items }}" - name: Mirror all related images ansible.builtin.include_tasks: mirror-related-images.yml + with_items: "{{ iib_dict | dict2items }}" - name: Remove pullsecrets tempfolder ansible.builtin.file: diff --git a/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml b/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml index 32a36c07..74a0bc3b 100644 --- a/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml +++ b/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml @@ -1,8 +1,7 @@ -# This is needed because some operators like "advanced-cluster-management" -# install a second operator "multicluster-engine" -- name: Set operators list +# We redefine this var so it is easier to run this task independently +- name: Set IIB local folder fact ansible.builtin.set_fact: - operator_list: "{{ [operator] + (operator == 'advanced-cluster-management') | ternary(['multicluster-engine'], []) }}" + iib_local_folder: "/tmp/manifest-{{ item.value['iib'] }}" - name: Set all images to empty list ansible.builtin.set_fact: @@ -10,7 +9,6 @@ - name: Fetch operator images tasks ansible.builtin.include_tasks: fetch-operator-images.yml - loop: "{{ operator_list }}" - name: Print all_images ansible.builtin.debug: @@ -33,13 +31,24 @@ right=$(grep "{{ image }}" "{{ iib_local_folder }}/mapping.txt" | cut -f2 -d=) right_base=$(echo $right | sed -e 's/:.*$//' -e 's/@.*$//') right_log=$(echo "${right_base}@${left_sha}" | sed -e 's/\//-/g') - if skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"{{ image }}" &> /tmp/skopeo-"{{ image | regex_replace('/', '-') }}".log; then + left_out=$(skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"{{ image }}" 2>&1) + left_ret=$? + if [ $left_ret -eq 0 ]; then echo "{{ image }}" - elif skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"${right_base}@${left_sha}" &> "/tmp/skopeo-${right_log}.log"; then - echo "${right_base}@${left_sha}" else - echo "ERROR: both {{ image }} and echo ${right_base}@${left_sha} could not be found" - exit 1 + echo "${left_out}" > /tmp/skopeo-"{{ image | regex_replace('/', '-') }}".log + right_out=$(skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"${right_base}@${left_sha}" 2>&1) + right_ret=$? + if [ $right_ret -eq 0 ]; then + echo "${right_base}@${left_sha}" + else # both left_ret and right_ret were != 0 + echo "${right_out}" > "/tmp/skopeo-${right_log}.log" + echo "ERROR: both {{ image }} and echo ${right_base}@${left_sha} could not be found" + echo "Printing both outputs:" + echo "Left out: ${left_out}" + echo "Right out: ${right_out}" + exit 1 + fi fi register: all_existing_images with_items: "{{ all_images }}" @@ -91,16 +100,6 @@ 'mirrordest_nosha': (mirror_dest + item | basename) | regex_replace('@.*$', ''), 'mirrordest_tag': 'tag-' + item | basename | regex_replace('^.*@sha256:', '')}}, recursive=true) }}" loop: "{{ all_images }}" - when: use_internal_registry - -- name: Create dict with full image name+sha -> mirror destination (OCP < 4.13) - ansible.builtin.set_fact: - image_urls: "{{ image_urls | default({}) | combine({item: - {'mirrordest': mirror_dest + '@' + item | basename | regex_replace('^.*@', ''), - 'mirrordest_nosha': mirror_dest, - 'mirrordest_tag': 'tag-' + item | basename | regex_replace('^.*@sha256:', '')}}, recursive=true) }}" - loop: "{{ all_images }}" - when: not use_internal_registry - name: Create dict with full image name+sha -> image key without sha ansible.builtin.set_fact: @@ -118,20 +117,12 @@ ansible.builtin.debug: msg: "{{ image_urls }}" -# OCP 4.13 uses the new fangled "ImageDigestMirrorSet", older OCPs use "ImageContentSourcePolicy" +# OCP 4.13 uses the new fangled "ImageDigestMirrorSet" - name: Template out imageMirror.yaml (OCP >= 4.13) ansible.builtin.template: src: ./templates/imageDigestMirror.yaml.j2 dest: "{{ iib_local_folder }}/imageMirror.yaml" mode: "0644" - when: use_internal_registry - -- name: Template out imageMirror.yaml (OCP < 4.13) - ansible.builtin.template: - src: ./templates/imageContentSourcePolicy.yaml.j2 - dest: "{{ iib_local_folder }}/imageMirror.yaml" - mode: "0644" - when: not use_internal_registry - name: Template out mirror.map ansible.builtin.template: diff --git a/common/ansible/roles/iib_ci/tasks/setup-external-registry.yml b/common/ansible/roles/iib_ci/tasks/setup-external-registry.yml deleted file mode 100644 index a9a9b10a..00000000 --- a/common/ansible/roles/iib_ci/tasks/setup-external-registry.yml +++ /dev/null @@ -1,45 +0,0 @@ -- name: Check that we can push to the external registry - ansible.builtin.fail: - msg: "REGISTRY: '{{ external_registry }}' and REGISTRY_TOKEN: '{{ external_registry_token }}'. Both need to be set" - failed_when: > - (external_registry is not defined or external_registry | length == 0) or - (external_registry_token is not defined or external_registry_token | length == 0) - -- name: Get current cluster pull secrets - ansible.builtin.command: - oc extract secret/pull-secret -n openshift-config --to=- - register: pull_secrets_raw - -- name: Add external registry to pull secrets and set auth fact - ansible.builtin.set_fact: - pull_secrets_new: "{{ pull_secrets_raw.stdout | from_json }}" - external_registry_auth: "{{ external_registry_token | b64encode }}" - -- name: Add local registry to pull secrets - ansible.builtin.set_fact: - pull_secrets: "{{ pull_secrets_new | combine({'auths': {external_registry.split('/')[0]: {'email': external_registry_email, 'auth': external_registry_auth}}}, recursive=true) }}" - -- name: Get a tempfile for the pull secrets - ansible.builtin.tempfile: - state: directory - register: pull_secrets_tempfolder - -- name: Store pull secrets in tempfile - ansible.builtin.copy: - dest: "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" - content: "{{ pull_secrets | to_nice_json }}" - mode: "0644" - -# We cannot store the logins back in the cluster, because quay.io would be overwritten and not have -# access to the images openshift needs. See: -# https://github.com/moby/moby/issues/37569 -# - name: Update pull-secret in the cluster -# ansible.builtin.shell: | -# oc set data secret/pull-secret -n openshift-config --from-file="{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" -- name: Set Mirror URL fact for external mirror IIB - ansible.builtin.set_fact: - mirror_iib: "{{ external_registry }}" - -- name: Set Mirror URL fact for external mirror - ansible.builtin.set_fact: - mirror_dest: "{{ external_registry }}" diff --git a/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 b/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 index 99087603..e7498892 100644 --- a/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 +++ b/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 @@ -1,9 +1,9 @@ apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: - name: iib-{{ iib }} + name: iib-{{ item.value['iib'] }} namespace: {{ internal_registry_ns }} spec: - image: {{ mirror_iib }}:{{ iib }} + image: {{ mirror_iib }}:{{ item.value['iib'] }} sourceType: grpc - displayName: IIB {{ iib }} + displayName: IIB {{ item.value['iib'] }} diff --git a/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 b/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 index 1b04f321..08a24735 100644 --- a/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 +++ b/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 @@ -3,16 +3,16 @@ kind: ImageDigestMirrorSet metadata: labels: operators.openshift.org/catalog: "true" - name: iib-{{ iib }} + name: iib-{{ item.value['iib'] }} spec: imageDigestMirrors: -{% for item in image_urls.values() %} +{% for data in image_urls.values() %} - mirrors: - - {{ item.mirrordest_nosha }} - source: {{ item.source_nosha }} + - {{ data.mirrordest_nosha }} + source: {{ data.source_nosha }} mirrorSourcePolicy: AllowContactingSource - mirrors: - - {{ item.mirrordest_nosha }} - source: {{ item.image_nosha }} + - {{ data.mirrordest_nosha }} + source: {{ data.image_nosha }} mirrorSourcePolicy: AllowContactingSource {% endfor %} diff --git a/common/ansible/roles/k8s_secret_utils/defaults/main.yml b/common/ansible/roles/k8s_secret_utils/defaults/main.yml new file mode 100644 index 00000000..7ebda207 --- /dev/null +++ b/common/ansible/roles/k8s_secret_utils/defaults/main.yml @@ -0,0 +1,2 @@ +--- +secrets_ns: 'validated-patterns-secrets' diff --git a/common/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secret.yml b/common/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secret.yml new file mode 100644 index 00000000..283fb6a2 --- /dev/null +++ b/common/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secret.yml @@ -0,0 +1,15 @@ +--- +- name: Check for secrets namespace + no_log: false + kubernetes.core.k8s_info: + kind: Namespace + name: "{{ item['metadata']['namespace'] }}" + register: secrets_ns_rc + until: secrets_ns_rc.resources | length > 0 + retries: 20 + delay: 45 + +- name: Inject k8s secret + no_log: '{{ override_no_log | default(True) }}' + kubernetes.core.k8s: + definition: '{{ item }}' diff --git a/common/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secrets.yml b/common/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secrets.yml new file mode 100644 index 00000000..a2299734 --- /dev/null +++ b/common/ansible/roles/k8s_secret_utils/tasks/inject_k8s_secrets.yml @@ -0,0 +1,5 @@ +--- +- name: Inject secrets + no_log: '{{ override_no_log | default(True) }}' + ansible.builtin.include_tasks: inject_k8s_secret.yml + loop: '{{ kubernetes_secret_objects }}' diff --git a/common/ansible/roles/k8s_secret_utils/tasks/main.yml b/common/ansible/roles/k8s_secret_utils/tasks/main.yml new file mode 100644 index 00000000..d72de7ae --- /dev/null +++ b/common/ansible/roles/k8s_secret_utils/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Parse and extract k8s secrets from values-secret file + ansible.builtin.include_tasks: parse_secrets.yml + +- name: Inject k8s secrets + ansible.builtin.include_tasks: inject_k8s_secrets.yml diff --git a/common/ansible/roles/k8s_secret_utils/tasks/parse_secrets.yml b/common/ansible/roles/k8s_secret_utils/tasks/parse_secrets.yml new file mode 100644 index 00000000..b1755cc2 --- /dev/null +++ b/common/ansible/roles/k8s_secret_utils/tasks/parse_secrets.yml @@ -0,0 +1,12 @@ +--- +- name: Parse secrets data + # no_log: '{{ override_no_log | default(true) }}' + parse_secrets_info: + values_secrets_plaintext: "{{ values_secrets_data }}" + secrets_backing_store: "{{ secrets_backing_store }}" + register: secrets_results + +- name: Return kubernetes objects + no_log: '{{ override_no_log | default(true) }}' + ansible.builtin.set_fact: + kubernetes_secret_objects: "{{ secrets_results['kubernetes_secret_objects'] }}" diff --git a/common/ansible/roles/vault_utils/tasks/push_parsed_secrets.yaml b/common/ansible/roles/vault_utils/tasks/push_parsed_secrets.yaml new file mode 100644 index 00000000..cbca15e0 --- /dev/null +++ b/common/ansible/roles/vault_utils/tasks/push_parsed_secrets.yaml @@ -0,0 +1,43 @@ +--- +- name: "Do pre-checks for Vault" + ansible.builtin.include_role: + name: vault_utils + tasks_from: vault_status + +# Unfortunately we cannot loop vault_status and just check if the vault is unsealed +# https://github.com/ansible/proposals/issues/136 +# So here we keep running the 'vault status' command until sealed is set to false +- name: If the vault is still sealed we need to retry + kubernetes.core.k8s_exec: + namespace: "{{ vault_ns }}" + pod: "{{ vault_pod }}" + command: vault status -format=json + register: vault_status_json + until: "'stdout' in vault_status_json and (not (vault_status_json.stdout | from_json)['sealed'] | bool)" + retries: 20 + delay: 45 + failed_when: "'stdout_lines' not in vault_status_json" + +# This step is not really needed when running make vault-init + load-secrets as +# everything is sequential +# It is needed when the vault is unsealed/configured inside the cluster and load-secrets +# gets run *while* the cronjob configures the vault. I.e. it might be half configured and return +# errors +- name: Make sure that the vault auth policy exists + kubernetes.core.k8s_exec: + namespace: "{{ vault_ns }}" + pod: "{{ vault_pod }}" + command: + sh -c "vault list auth/{{ vault_hub }}/role | grep '{{ vault_hub }}-role'" + register: vault_role_cmd + until: + - vault_role_cmd.rc is defined + - vault_role_cmd.rc == 0 + retries: 20 + delay: 45 + changed_when: false + +- name: Load parsed secrets into cluster vault + vault_load_parsed_secrets: + vault_policies: "{{ vault_policies }}" + parsed_secrets: "{{ parsed_secrets }}" diff --git a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml b/common/ansible/roles/vault_utils/tasks/push_secrets.yaml index 31d2878b..7954dc47 100644 --- a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml +++ b/common/ansible/roles/vault_utils/tasks/push_secrets.yaml @@ -1,6 +1,4 @@ --- -- name: Vault pre checks - ansible.builtin.include_tasks: pre_check.yaml - name: Vault status check ansible.builtin.include_tasks: vault_status.yaml diff --git a/common/ansible/roles/vault_utils/tasks/vault_init.yaml b/common/ansible/roles/vault_utils/tasks/vault_init.yaml index 16ce73df..38e1e911 100644 --- a/common/ansible/roles/vault_utils/tasks/vault_init.yaml +++ b/common/ansible/roles/vault_utils/tasks/vault_init.yaml @@ -1,6 +1,4 @@ --- -- name: Vault pre checks - ansible.builtin.include_tasks: pre_check.yaml - name: Vault status check ansible.builtin.include_tasks: vault_status.yaml diff --git a/common/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml b/common/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml index 7e0741aa..35327d58 100644 --- a/common/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml +++ b/common/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml @@ -1,7 +1,4 @@ --- -- name: Vault pre checks - ansible.builtin.include_tasks: pre_check.yaml - - name: Is secrets backend already enabled kubernetes.core.k8s_exec: namespace: "{{ vault_ns }}" diff --git a/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml b/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml index d4310e7f..e930252a 100644 --- a/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml +++ b/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml @@ -1,7 +1,4 @@ --- -- name: Vault pre checks - ansible.builtin.include_tasks: pre_check.yaml - - name: Find managed clusters kubernetes.core.k8s_info: kind: ManagedCluster diff --git a/common/ansible/roles/vault_utils/tasks/vault_unseal.yaml b/common/ansible/roles/vault_utils/tasks/vault_unseal.yaml index 862f19d8..43232ac7 100644 --- a/common/ansible/roles/vault_utils/tasks/vault_unseal.yaml +++ b/common/ansible/roles/vault_utils/tasks/vault_unseal.yaml @@ -1,6 +1,4 @@ --- -- name: Vault pre checks - ansible.builtin.include_tasks: pre_check.yaml - name: Vault status check ansible.builtin.include_tasks: vault_status.yaml diff --git a/common/ansible/roles/vault_utils/values-secrets.v2.schema.json b/common/ansible/roles/vault_utils/values-secrets.v2.schema.json index c9723d6f..c8b5c020 100644 --- a/common/ansible/roles/vault_utils/values-secrets.v2.schema.json +++ b/common/ansible/roles/vault_utils/values-secrets.v2.schema.json @@ -10,7 +10,7 @@ "title": "Hybrid Cloud Patterns - values-secret.yaml files schema V2", "description": "This schema defines the values-secret.yaml file as used by [Validated Patterns](https://hybrid-cloud-patterns.io)", "type": "object", - "examples": [ + "examples": [ { "version": "2.0", "backingStore": "vault", @@ -105,6 +105,19 @@ "$ref": "#/definitions/VaultPolicies", "description": "A dictionary of {name}:{policy} of custom vault password policies" }, + "secretStoreNamespace": { + "type": "string", + "description": "Namespace to store secrets in for kubernetes loader", + "default": "validated-patterns-secrets" + }, + "defaultLabels": { + "type": "object", + "description": "Default labels to add to secret objects for kubernetes loader" + }, + "defaultAnnotations": { + "type": "object", + "description": "Default labels to add to secret objects for kubernetes loader" + }, "secrets": { "$ref": "#/definitions/Secrets", "description": "The list of actual secrets to be uploaded in the vault" @@ -166,6 +179,23 @@ }, "default": [ "hub" ] }, + "targetNamespaces": { + "type": "array", + "description": "The namespace(s) that the secret will be injected into, ignored by configs using ESO", + "items": { + "type": "string", + "minItems": 1, + "uniqueItems": true + } + }, + "annotations": { + "type": "object", + "description": "Annotations to add to the kubernetes secret object, which override defaults" + }, + "labels": { + "type": "object", + "description": "Labels to add to the kubernetes secret object, which override defaults" + }, "fields": { "type": "array", "description": "This is the list of actual secret material that will be placed in a vault key's attributes", diff --git a/common/ansible/tests/unit/test_parse_secrets.py b/common/ansible/tests/unit/test_parse_secrets.py new file mode 100644 index 00000000..0cfef1b6 --- /dev/null +++ b/common/ansible/tests/unit/test_parse_secrets.py @@ -0,0 +1,981 @@ +# Copyright 2022, 2023 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Simple module to test parse_secret_info +""" + +import base64 +import configparser +import json +import os +import sys +import unittest +from unittest import mock +from unittest.mock import patch + +from ansible.module_utils import basic +from ansible.module_utils.common.text.converters import to_bytes +from test_util_datastructures import ( + DEFAULT_KUBERNETES_METADATA, + DEFAULT_KUBERNETES_SECRET_OBJECT, + DEFAULT_PARSED_SECRET_VALUE, + DEFAULT_VAULT_POLICIES, +) + +# from unittest.mock import call, patch + +# TODO(bandini): I could not come up with something better to force the imports to be existing +# when we "import parse_secrets_info" +sys.path.insert(1, "./ansible/plugins/module_utils") +sys.path.insert(1, "./ansible/plugins/modules") + +import load_secrets_common # noqa: E402 + +sys.modules["ansible.module_utils.load_secrets_common"] = load_secrets_common + +import parse_secrets_v2 # noqa: E402 + +sys.modules["ansible.module_utils.parse_secrets_v2"] = parse_secrets_v2 + +import parse_secrets_info # noqa: E402 + +sys.modules["ansible.modules.parse_secrets_info"] = parse_secrets_info + + +def set_module_args(args): + """prepare arguments so that they will be picked up during module creation""" + args = json.dumps({"ANSIBLE_MODULE_ARGS": args}) + basic._ANSIBLE_ARGS = to_bytes(args) + + +class BytesEncoder(json.JSONEncoder): + def default(self, o): + if isinstance(o, bytes): + return base64.b64encode(o).decode("ascii") + else: + return super().default(o) + + +def json_str(a): + return json.dumps(a, sort_keys=True, cls=BytesEncoder) + + +def ds_eq(a, b): + """ + This function takes two arbitrary data structures, sorts their keys, stringifies them into JSON + and compares them. The idea here is to test data structure difference without having to write + an involved recursive data structure parser. If the function returns true, the two data + structures are equal. + """ + print("a=" + json_str(a)) + print("b=" + json_str(b)) + return json_str(a) == json_str(b) + + +class AnsibleExitJson(Exception): + """Exception class to be raised by module.exit_json and caught by the test case""" + + pass + + +class AnsibleFailJson(Exception): + """Exception class to be raised by module.fail_json and caught by the test case""" + + pass + + +def exit_json(*args, **kwargs): + """function to patch over exit_json; package return data into an exception""" + if "changed" not in kwargs: + kwargs["changed"] = False + raise AnsibleExitJson(kwargs) + + +def fail_json(*args, **kwargs): + """function to patch over fail_json; package return data into an exception""" + kwargs["failed"] = True + kwargs["args"] = args + raise AnsibleFailJson(kwargs) + + +@mock.patch("getpass.getpass") +class TestMyModule(unittest.TestCase): + def create_inifile(self): + self.inifile = open("/tmp/awscredentials", "w") + config = configparser.ConfigParser() + config["default"] = { + "aws_access_key_id": "123123", + "aws_secret_access_key": "abcdefghi", + } + config["foobar"] = { + "aws_access_key_id": "345345", + "aws_secret_access_key": "rstuvwxyz", + } + with self.inifile as configfile: + config.write(configfile) + + def create_testbinfile(self): + with open(self.binfilename, "wb") as f: + f.write(bytes([8, 6, 7, 5, 3, 0, 9])) + f.close() + + def setUp(self): + self.binfilename = "/tmp/testbinfile.bin" + self.mock_module_helper = patch.multiple( + basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json + ) + self.mock_module_helper.start() + self.addCleanup(self.mock_module_helper.stop) + self.testdir_v2 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v2") + self.testfile = open("/tmp/ca.crt", "w") + self.create_inifile() + self.create_testbinfile() + # For ~/expanduser tests + self.orig_home = os.environ["HOME"] + os.environ["HOME"] = self.testdir_v2 + + def tearDown(self): + os.environ["HOME"] = self.orig_home + self.testfile.close() + try: + os.remove("/tmp/ca.crt") + os.remove(self.binfilename) + # os.remove("/tmp/awscredentials") + except OSError: + pass + + def get_file_as_stdout(self, filename, openmode="r"): + with open(filename, mode=openmode, encoding="utf-8") as f: + return f.read() + + def test_module_fail_when_required_args_missing(self, getpass): + with self.assertRaises(AnsibleFailJson): + set_module_args({}) + parse_secrets_info.main() + + def test_module_parse_base(self, getpass): + getpass.return_value = "/tmp/ca.crt" + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-base.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + } + ) + parse_secrets_info.main() + + ret = result.exception.args[0] + self.assertTrue( + (ret["failed"] is False) + and (ret["changed"] is False) + and (len(ret["parsed_secrets"])) == 1 + and (len(ret["kubernetes_secret_objects"]) == 0) + ) + + def test_module_parse_base_parsed_secrets(self, getpass): + getpass.return_value = "/tmp/ca.crt" + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-base.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + } + ) + parse_secrets_info.main() + + vp = DEFAULT_VAULT_POLICIES | { + "basicPolicy": 'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n', # noqa: E501 + "advancedPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n', # noqa: E501 + } + + # Beware reading this structure aloud to your cat... + pspsps = { + "config-demo": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "config-demo", + "fields": { + "secret": None, + "secret2": "/tmp/ca.crt", + "ca_crt": "", + "ca_crt2": "", + }, + "base64": ["ca_crt2"], + "generate": ["secret"], + "override": ["secret"], + "vault_policies": { + "secret": "basicPolicy", + }, + "vault_prefixes": [ + "region-one", + "snowflake.blueprints.rhecoeng.com", + ], + "paths": { + "ca_crt": "/tmp/ca.crt", + "ca_crt2": "/tmp/ca.crt", + }, + }, + } + + ret = result.exception.args[0] + self.assertTrue( + (ret["failed"] is False) + and (ret["changed"] is False) + and (ds_eq(vp, ret["vault_policies"])) + and (ds_eq(pspsps, ret["parsed_secrets"])) + ) + + def test_module_parsed_secret_ini_files(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-ini-file.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + } + ) + parse_secrets_info.main() + + ps = { + "aws": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "aws", + "fields": { + "aws_access_key_id": "123123", + "aws_secret_access_key": "abcdefghi", + }, + "ini_file": { + "aws_access_key_id": { + "ini_file": "/tmp/awscredentials", + "ini_section": "default", + "ini_key": "aws_access_key_id", + }, + "aws_secret_access_key": { + "ini_file": "/tmp/awscredentials", + "ini_section": "default", + "ini_key": "aws_secret_access_key", + }, + }, + }, + "awsfoobar": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "awsfoobar", + "fields": { + "aws_access_key_id": "345345", + "aws_secret_access_key": "rstuvwxyz", + }, + "ini_file": { + "aws_access_key_id": { + "ini_file": "/tmp/awscredentials", + "ini_section": "foobar", + "ini_key": "aws_access_key_id", + }, + "aws_secret_access_key": { + "ini_file": "/tmp/awscredentials", + "ini_section": "foobar", + "ini_key": "aws_secret_access_key", + }, + }, + }, + } + + ret = result.exception.args[0] + self.assertTrue( + (ret["failed"] is False) + and (ret["changed"] is False) + and (len(ret["parsed_secrets"]) == 2) + and (ds_eq(ps, ret["parsed_secrets"])) + ) + + def test_module_parsed_secret_ini_files_base64(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-ini-file-b64.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + } + ) + parse_secrets_info.main() + + ps = { + "aws": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "aws", + "fields": { + "aws_access_key_id": "A123456789012345678A", + "aws_secret_access_key": "A12345678901234567890123456789012345678A", + }, + "ini_file": { + "aws_access_key_id": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_access_key_id", + }, + "aws_secret_access_key": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_secret_access_key", + }, + }, + }, + "awsb64": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "awsb64", + "fields": { + "aws_access_key_id": "QTEyMzQ1Njc4OTAxMjM0NTY3OEE=", + "aws_secret_access_key": "QTEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4QQ==", + }, + "base64": [ + "aws_access_key_id", + "aws_secret_access_key", + ], + "ini_file": { + "aws_access_key_id": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_access_key_id", + }, + "aws_secret_access_key": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_secret_access_key", + }, + }, + }, + } + + ret = result.exception.args[0] + self.assertTrue( + (ret["failed"] is False) + and (ret["changed"] is False) + and (len(ret["parsed_secrets"]) == 2) + and (len(ret["kubernetes_secret_objects"]) == 0) + and (ds_eq(ps, ret["parsed_secrets"])) + ) + + def test_module_parsed_secret_ini_files_base64_kubernetes(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-ini-file-b64.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + + ps = { + "aws": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "aws", + "fields": { + "aws_access_key_id": "A123456789012345678A", + "aws_secret_access_key": "A12345678901234567890123456789012345678A", + }, + "ini_file": { + "aws_access_key_id": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_access_key_id", + }, + "aws_secret_access_key": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_secret_access_key", + }, + }, + }, + "awsb64": DEFAULT_PARSED_SECRET_VALUE + | { + "name": "awsb64", + "fields": { + "aws_access_key_id": "QTEyMzQ1Njc4OTAxMjM0NTY3OEE=", + "aws_secret_access_key": "QTEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4QQ==", + }, + "base64": [ + "aws_access_key_id", + "aws_secret_access_key", + ], + "ini_file": { + "aws_access_key_id": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_access_key_id", + }, + "aws_secret_access_key": { + "ini_file": f"{os.environ['HOME']}/aws-example.ini", + "ini_section": "default", + "ini_key": "aws_secret_access_key", + }, + }, + }, + } + + ret = result.exception.args[0] + self.assertTrue( + (ret["failed"] is False) + and (ret["changed"] is False) + and (len(ret["parsed_secrets"]) == 2) + and (len(ret["kubernetes_secret_objects"]) == 2) + and (ds_eq(ps, ret["parsed_secrets"])) + ) + + def test_module_default_labels(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-default-labels.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + + ret = result.exception.args[0] + self.assertTrue( + ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + "labels": {"testlabel": "4"}, + "namespace": "validated-patterns-secrets", + }, + "stringData": {"username": "user"}, + }, + ) + ) + + def test_module_override_labels(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-override-labels.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + "labels": {"overridelabel": "42"}, + }, + "stringData": {"username": "user"}, + }, + ) + ) + + def test_module_override_namespace(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-override-namespace.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + "namespace": "overridden-namespace", + }, + "stringData": {"username": "user"}, + }, + ) + ) + + def test_module_none_extra_namespaces(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-more-namespaces.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "none", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 2 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + "namespace": "default", + }, + "stringData": {"username": "user"}, + }, + ) + and ds_eq( + ret["kubernetes_secret_objects"][1], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + "namespace": "extra", + }, + "stringData": {"username": "user"}, + }, + ) + ) + + def test_module_override_type_kubernetes(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-override-type.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "type": "user-specified", + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + }, + "stringData": {"username": "user"}, + }, + ) + ) + + def test_module_override_type_none(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-override-type-none.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "none", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "type": "user-specified", + "metadata": DEFAULT_KUBERNETES_METADATA + | {"name": "test-secret", "namespace": "default"}, + "stringData": {"username": "user"}, + }, + ) + ) + + def test_module_secret_file_contents(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-file-contents.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + }, + "stringData": {"username": "This space intentionally left blank\n"}, + }, + ) + ) + + def test_module_secret_file_contents_b64(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-file-contents-b64.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + }, + "stringData": { + "username": "VGhpcyBzcGFjZSBpbnRlbnRpb25hbGx5IGxlZnQgYmxhbmsK" + }, + }, + ) + ) + + def test_module_secret_file_contents_double_b64(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join( + self.testdir_v2, "values-secret-v2-file-contents-double-b64.yaml" + ) + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "test-secret", + }, + "stringData": { + "username": "VkdocGN5QnpjR0ZqWlNCcGJuUmxiblJwYjI1aGJHeDVJR3hsWm5RZ1lteGhibXNL" + }, + }, + ) + ) + + def test_module_secret_file_contents_binary_b64(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-secret-binary-b64.yaml") + ) + with self.assertRaises(AnsibleExitJson) as result: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + ret = result.exception.args[0] + + # The binary bytes are [ 8, 6, 7, 5, 3, 0, 9 ] (IYKYK) + self.assertTrue( + len(ret["kubernetes_secret_objects"]) == 1 + and ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "secret", + }, + "stringData": {"secret": "CAYHBQMACQ=="}, + }, + ) + ) + + def test_ensure_success_retrieving_block_yaml_policy(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-defaultvp-policy.yaml") + ) + with self.assertRaises(AnsibleExitJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "vault", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertTrue( + ds_eq( + ret["vault_policies"], + { + "basicPolicy": 'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n', # noqa: E501 + "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n', # noqa: E501 + }, + ) + ) + + def test_ensure_success_retrieving_block_yaml_value(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-block-yamlstring.yaml") + ) + with self.assertRaises(AnsibleExitJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "vault", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertTrue( + ds_eq( + ret["parsed_secrets"], + { + "config-demo": DEFAULT_PARSED_SECRET_VALUE + | { + "fields": { + "sshprivkey": "ssh-rsa oNb/kAvwdQl+FKdwzzKo5rnGIB68UOxWoaKPnKdgF/ts67CDBslWGnpUZCpp8TdaxfHmpoyA6nutMwQw8OAMEUybxvilDn+ZVJ/5qgfRBdi8wLKRLTIj0v+ZW7erN9yuZG53xUQAaQjivM3cRyNLIZ9torShYaYwD1UTTDkV97RMfNDlWI5f5FGRvfy429ZfCwbUWUbijrcv/mWc/uO3x/+MBXwa4f8ubzEYlrt4yH/Vbpzs67kE9UJ9z1zurFUFJydy1ZDAdKSiBS91ImI3ccKnbz0lji2bgSYR0Wp1IQhzSpjyJU2rIu9HAEUh85Rwf2jakfLpMcg/hSBer3sG kilroy@example.com", # noqa: E501 + "sshpubkey": "-----BEGIN OPENSSH PRIVATE KEY-----\nTtzxGgWrNerAr1hzUqPW2xphF/Aur1rQXSLv4J7frEJxNED6u/eScsNgwJMGXwRx7QYVohh0ARHVhJdUzJK7pEIphi4BGw==\nwlo+oQsi828b47SKZB8/K9dbeLlLiXh9/hu47MGpeGHZsKbjAdauncuw+YUDDN2EADJjasNMZHjxYhXKtqDjXTIw1X1n0Q==\n-----END OPENSSH PRIVATE KEY-----", # noqa: E501 + }, + "name": "config-demo", + } + }, + ) + ) + + def test_ensure_kubernetes_object_block_yaml_value(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-block-yamlstring.yaml") + ) + with self.assertRaises(AnsibleExitJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertTrue( + ds_eq( + ret["kubernetes_secret_objects"][0], + DEFAULT_KUBERNETES_SECRET_OBJECT + | { + "metadata": DEFAULT_KUBERNETES_METADATA + | { + "name": "config-demo", + }, + "stringData": { + "sshprivkey": "ssh-rsa oNb/kAvwdQl+FKdwzzKo5rnGIB68UOxWoaKPnKdgF/ts67CDBslWGnpUZCpp8TdaxfHmpoyA6nutMwQw8OAMEUybxvilDn+ZVJ/5qgfRBdi8wLKRLTIj0v+ZW7erN9yuZG53xUQAaQjivM3cRyNLIZ9torShYaYwD1UTTDkV97RMfNDlWI5f5FGRvfy429ZfCwbUWUbijrcv/mWc/uO3x/+MBXwa4f8ubzEYlrt4yH/Vbpzs67kE9UJ9z1zurFUFJydy1ZDAdKSiBS91ImI3ccKnbz0lji2bgSYR0Wp1IQhzSpjyJU2rIu9HAEUh85Rwf2jakfLpMcg/hSBer3sG kilroy@example.com", # noqa: E501 + "sshpubkey": "-----BEGIN OPENSSH PRIVATE KEY-----\nTtzxGgWrNerAr1hzUqPW2xphF/Aur1rQXSLv4J7frEJxNED6u/eScsNgwJMGXwRx7QYVohh0ARHVhJdUzJK7pEIphi4BGw==\nwlo+oQsi828b47SKZB8/K9dbeLlLiXh9/hu47MGpeGHZsKbjAdauncuw+YUDDN2EADJjasNMZHjxYhXKtqDjXTIw1X1n0Q==\n-----END OPENSSH PRIVATE KEY-----", # noqa: E501 + }, + }, + ) + ) + + def test_ensure_kubernetes_backend_allowed(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-base-k8s-backend.yaml") + ) + with self.assertRaises(AnsibleExitJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertFalse(ret["failed"]) + + def test_ensure_none_backend_allowed(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-base-none-backend.yaml") + ) + with self.assertRaises(AnsibleExitJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "none", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertFalse(ret["failed"]) + + def test_ensure_error_conflicting_backends(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-base-k8s-backend.yaml") + ) + with self.assertRaises(AnsibleFailJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "vault", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertEqual(ret["failed"], True) + assert ( + ret["args"][1] + == "Secrets file specifies 'kubernetes' backend but pattern config specifies 'vault'." + ) + + def test_ensure_error_unknown_backends(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-base-unknown-backend.yaml") + ) + with self.assertRaises(AnsibleFailJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "unknown", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertEqual(ret["failed"], True) + assert ( + ret["args"][1] + == "Currently only the 'vault', 'kubernetes' and 'none' backingStores are supported: unknown" + ) + + def test_ensure_error_secrets_same_name(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-same-secret-names.yaml") + ) + with self.assertRaises(AnsibleFailJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertEqual(ret["failed"], True) + assert ( + ret["args"][1] == "You cannot have duplicate secret names: ['config-demo']" + ) + + def test_ensure_error_fields_same_name(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-same-field-names.yaml") + ) + with self.assertRaises(AnsibleFailJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertEqual(ret["failed"], True) + assert ret["args"][1] == "You cannot have duplicate field names: ['secret']" + + def test_ensure_generate_errors_on_kubernetes(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-generic-onlygenerate.yaml") + ) + with self.assertRaises(AnsibleFailJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "kubernetes", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertEqual(ret["failed"], True) + assert ( + ret["args"][1] + == "You cannot have onMissingValue set to 'generate' unless using vault backingstore for secret config-demo field secret" # noqa: E501 + ) + + def test_ensure_generate_errors_on_none_generate(self, getpass): + testfile_output = self.get_file_as_stdout( + os.path.join(self.testdir_v2, "values-secret-v2-generic-onlygenerate.yaml") + ) + with self.assertRaises(AnsibleFailJson) as ansible_err: + set_module_args( + { + "values_secrets_plaintext": testfile_output, + "secrets_backing_store": "none", + } + ) + parse_secrets_info.main() + + ret = ansible_err.exception.args[0] + self.assertEqual(ret["failed"], True) + assert ( + ret["args"][1] + == "You cannot have onMissingValue set to 'generate' unless using vault backingstore for secret config-demo field secret" # noqa: E501 + ) + + +if __name__ == "__main__": + unittest.main() diff --git a/common/ansible/tests/unit/test_util_datastructures.py b/common/ansible/tests/unit/test_util_datastructures.py new file mode 100644 index 00000000..11d7cdae --- /dev/null +++ b/common/ansible/tests/unit/test_util_datastructures.py @@ -0,0 +1,205 @@ +DEFAULT_PARSED_SECRET_VALUE = { + "name": "overwrite-me", + "fields": {}, + "base64": [], + "ini_file": {}, + "generate": [], + "override": [], + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": ["hub"], + "type": "Opaque", + "target_namespaces": [], + "labels": {}, + "annotations": {}, + "paths": {}, +} + +DEFAULT_KUBERNETES_METADATA = { + "name": "overwrite-me", + "labels": {}, + "annotations": {}, + "namespace": "validated-patterns-secrets", +} +DEFAULT_KUBERNETES_SECRET_OBJECT = { + "kind": "Secret", + "type": "Opaque", + "apiVersion": "v1", + "metadata": DEFAULT_KUBERNETES_METADATA, + "stringData": {}, +} + +DEFAULT_VAULT_POLICIES = { + "validatedPatternDefaultPolicy": ( + "length=20\n" + 'rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\n' # noqa: E501 + 'rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\n' # noqa: E501 + 'rule "charset" { charset = "0123456789" min-chars = 1 }\n' + 'rule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' + ), +} + +GENERATE_POLICY_B64_TEST = { + "vault_policies": { + "basicPolicy": 'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n', # noqa: E501 + "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n', # noqa: E501 + }, + "parsed_secrets": { + "config-demo": { + "annotations": {}, + "base64": ["secret"], + "fields": {"secret": None}, + "generate": ["secret"], + "ini_file": {}, + "labels": {}, + "name": "config-demo", + "namespace": "validated-patterns-secrets", + "override": ["secret"], + "paths": {}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {"secret": "basicPolicy"}, + "vault_prefixes": ["region-one", "snowflake.blueprints.rhecoeng.com"], + } + }, +} + +PARSED_SECRET_VALUE_TEST = { + "parsed_secrets": { + "config-demo": { + "annotations": {}, + "base64": [], + "fields": {"secret": "value123"}, + "generate": [], + "ini_file": {}, + "labels": {}, + "name": "config-demo", + "namespace": "validated-patterns-secrets", + "override": [], + "paths": {}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": ["hub"], + } + }, + "vault_policies": { + "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' # noqa: E501 + }, +} + +PARSED_SECRET_B64_VALUE_TEST = { + "parsed_secrets": { + "config-demo": { + "annotations": {}, + "base64": ["secret"], + "fields": {"secret": "dmFsdWUxMjMK"}, + "generate": [], + "ini_file": {}, + "labels": {}, + "name": "config-demo", + "namespace": "validated-patterns-secrets", + "override": [], + "paths": {}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": ["hub"], + } + }, + "vault_policies": { + "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' # noqa: E501 + }, +} + +PARSED_SECRET_FILE_INJECTION_TEST = { + "parsed_secrets": { + "config-demo": { + "annotations": {}, + "base64": [], + "fields": {"secret": "value123"}, + "generate": [], + "ini_file": {}, + "labels": {}, + "name": "config-demo", + "namespace": "validated-patterns-secrets", + "override": [], + "paths": {}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": [ + "secret/region-one", + "secret/snowflake.blueprints.rhecoeng.com", + ], + }, + "config-demo-file": { + "annotations": {}, + "base64": [], + "fields": {"test": ""}, + "generate": [], + "ini_file": {}, + "labels": {}, + "name": "config-demo-file", + "namespace": "validated-patterns-secrets", + "override": [], + "paths": {"test": "/tmp/footest"}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": [ + "secret/region-two", + "secret/snowflake.blueprints.rhecoeng.com", + ], + }, + }, + "vault_policies": { + "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' # noqa: 501 + }, +} + +PARSED_SECRET_FILE_B64_INJECTION_TEST = { + "parsed_secrets": { + "config-demo": { + "annotations": {}, + "base64": [], + "fields": {"secret": "value123"}, + "generate": [], + "ini_file": {}, + "labels": {}, + "name": "config-demo", + "namespace": "validated-patterns-secrets", + "override": [], + "paths": {}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": [ + "secret/region-one", + "secret/snowflake.blueprints.rhecoeng.com", + ], + }, + "config-demo-file": { + "annotations": {}, + "base64": ["test"], + "fields": {"test": ""}, + "generate": [], + "ini_file": {}, + "labels": {}, + "name": "config-demo-file", + "namespace": "validated-patterns-secrets", + "override": [], + "paths": {"test": "/tmp/footest"}, + "type": "Opaque", + "vault_mount": "secret", + "vault_policies": {}, + "vault_prefixes": [ + "secret/region-two", + "secret/snowflake.blueprints.rhecoeng.com", + ], + }, + }, + "vault_policies": { + "validatedPatternDefaultPolicy": 'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n' # noqa: 501 + }, +} diff --git a/common/ansible/tests/unit/test_vault_load_parsed_secrets.py b/common/ansible/tests/unit/test_vault_load_parsed_secrets.py new file mode 100644 index 00000000..ca37de94 --- /dev/null +++ b/common/ansible/tests/unit/test_vault_load_parsed_secrets.py @@ -0,0 +1,320 @@ +# Copyright 2022 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Simple module to test vault_load_parsed_secrets +""" + +import json +import os +import sys +import unittest +from unittest.mock import call, patch + +import test_util_datastructures +from ansible.module_utils import basic +from ansible.module_utils.common.text.converters import to_bytes + +# TODO(bandini): I could not come up with something better to force the imports to be existing +# when we 'import vault_load_secrets' +sys.path.insert(1, "./ansible/plugins/module_utils") +sys.path.insert(1, "./ansible/plugins/modules") + +import vault_load_parsed_secrets # noqa: E402 + +sys.modules["ansible.modules.vault_load_parsed_secrets"] = vault_load_parsed_secrets + + +def set_module_args(args): + """prepare arguments so that they will be picked up during module creation""" + args = json.dumps({"ANSIBLE_MODULE_ARGS": args}) + basic._ANSIBLE_ARGS = to_bytes(args) + + +class AnsibleExitJson(Exception): + """Exception class to be raised by module.exit_json and caught by the test case""" + + pass + + +class AnsibleFailJson(Exception): + """Exception class to be raised by module.fail_json and caught by the test case""" + + pass + + +def exit_json(*args, **kwargs): + """function to patch over exit_json; package return data into an exception""" + if "changed" not in kwargs: + kwargs["changed"] = False + raise AnsibleExitJson(kwargs) + + +def fail_json(*args, **kwargs): + """function to patch over fail_json; package return data into an exception""" + kwargs["failed"] = True + kwargs["args"] = args + raise AnsibleFailJson(kwargs) + + +class TestMyModule(unittest.TestCase): + def setUp(self): + self.mock_module_helper = patch.multiple( + basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json + ) + self.mock_module_helper.start() + self.addCleanup(self.mock_module_helper.stop) + self.testdir_v2 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v2") + + def tearDown(self): + return + + def test_module_fail_when_required_args_missing(self): + with self.assertRaises(AnsibleFailJson): + set_module_args({}) + vault_load_parsed_secrets.main() + + # For these tests, we need the data structures that parse_secrets_info outputs. + # Several have been saved in the test_util_datastructures module for this purpose + def test_ensure_value_injection_works(self): + set_module_args( + { + "parsed_secrets": test_util_datastructures.PARSED_SECRET_VALUE_TEST[ + "parsed_secrets" + ], + "vault_policies": test_util_datastructures.PARSED_SECRET_VALUE_TEST[ + "vault_policies" + ], + } + ) + with patch.object( + vault_load_parsed_secrets.VaultSecretLoader, "_run_command" + ) as mock_run_command: + stdout = "" + stderr = "" + ret = 0 + mock_run_command.return_value = ret, stdout, stderr # successful execution + + with self.assertRaises(AnsibleExitJson) as result: + vault_load_parsed_secrets.main() + self.assertTrue( + result.exception.args[0]["changed"] + ) # ensure result is changed + assert mock_run_command.call_count == 2 + + calls = [ + call( + 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 + attempts=3, + ), + call( + "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret hub/config-demo secret='value123'\"", + attempts=3, + ), + ] + print(mock_run_command.mock_calls) + mock_run_command.assert_has_calls(calls) + + def test_ensure_b64_value_injection_works(self): + set_module_args( + { + "parsed_secrets": test_util_datastructures.PARSED_SECRET_B64_VALUE_TEST[ + "parsed_secrets" + ], + "vault_policies": test_util_datastructures.PARSED_SECRET_B64_VALUE_TEST[ + "vault_policies" + ], + } + ) + with patch.object( + vault_load_parsed_secrets.VaultSecretLoader, "_run_command" + ) as mock_run_command: + stdout = "" + stderr = "" + ret = 0 + mock_run_command.return_value = ret, stdout, stderr # successful execution + + with self.assertRaises(AnsibleExitJson) as result: + vault_load_parsed_secrets.main() + self.assertTrue( + result.exception.args[0]["changed"] + ) # ensure result is changed + assert mock_run_command.call_count == 2 + + calls = [ + call( + 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 + attempts=3, + ), + call( + "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret hub/config-demo secret='dmFsdWUxMjMK'\"", # noqa: E501 + attempts=3, + ), + ] + print(mock_run_command.mock_calls) + mock_run_command.assert_has_calls(calls) + + def test_ensure_file_injection_works(self): + set_module_args( + { + "parsed_secrets": test_util_datastructures.PARSED_SECRET_FILE_INJECTION_TEST[ + "parsed_secrets" + ], + "vault_policies": test_util_datastructures.PARSED_SECRET_FILE_INJECTION_TEST[ + "vault_policies" + ], + } + ) + with patch.object( + vault_load_parsed_secrets.VaultSecretLoader, "_run_command" + ) as mock_run_command: + stdout = "" + stderr = "" + ret = 0 + mock_run_command.return_value = ret, stdout, stderr # successful execution + + with self.assertRaises(AnsibleExitJson) as result: + vault_load_parsed_secrets.main() + self.assertTrue( + result.exception.args[0]["changed"] + ) # ensure result is changed + assert mock_run_command.call_count == 5 + + calls = [ + call( + 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 + attempts=3, + ), + call( + "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/region-one/config-demo secret='value123'\"", # noqa: E501 + attempts=3, + ), + call( + "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo secret='value123'\"", # noqa: E501 + attempts=3, + ), + call( + "cat '/tmp/footest' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/region-two/config-demo-file test=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 + attempts=3, + ), + call( + "cat '/tmp/footest' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo-file test=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 + attempts=3, + ), + ] + print(mock_run_command.mock_calls) + mock_run_command.assert_has_calls(calls) + + def test_ensure_file_b64_injection_works(self): + set_module_args( + { + "parsed_secrets": test_util_datastructures.PARSED_SECRET_FILE_B64_INJECTION_TEST[ + "parsed_secrets" + ], + "vault_policies": test_util_datastructures.PARSED_SECRET_FILE_B64_INJECTION_TEST[ + "vault_policies" + ], + } + ) + with patch.object( + vault_load_parsed_secrets.VaultSecretLoader, "_run_command" + ) as mock_run_command: + stdout = "" + stderr = "" + ret = 0 + mock_run_command.return_value = ret, stdout, stderr # successful execution + + with self.assertRaises(AnsibleExitJson) as result: + vault_load_parsed_secrets.main() + self.assertTrue( + result.exception.args[0]["changed"] + ) # ensure result is changed + assert mock_run_command.call_count == 5 + + calls = [ + call( + 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 + attempts=3, + ), + call( + "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/region-one/config-demo secret='value123'\"", # noqa: E501 + attempts=3, + ), + call( + "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo secret='value123'\"", # noqa: E501 + attempts=3, + ), + call( + "cat '/tmp/footest' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0> /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/region-two/config-demo-file test=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 + attempts=3, + ), + call( + "cat '/tmp/footest' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0> /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo-file test=@/tmp/vcontent; rm /tmp/vcontent'", # noqa: E501 + attempts=3, + ), + ] + print(mock_run_command.mock_calls) + mock_run_command.assert_has_calls(calls) + + def test_ensure_b64_generate_passwords_works(self): + set_module_args( + { + "parsed_secrets": test_util_datastructures.GENERATE_POLICY_B64_TEST[ + "parsed_secrets" + ], + "vault_policies": test_util_datastructures.GENERATE_POLICY_B64_TEST[ + "vault_policies" + ], + } + ) + with patch.object( + vault_load_parsed_secrets.VaultSecretLoader, "_run_command" + ) as mock_run_command: + stdout = "" + stderr = "" + ret = 0 + mock_run_command.return_value = ret, stdout, stderr # successful execution + + with self.assertRaises(AnsibleExitJson) as result: + vault_load_parsed_secrets.main() + self.assertTrue( + result.exception.args[0]["changed"] + ) # ensure result is changed + assert mock_run_command.call_count == 4 + + calls = [ + call( + 'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy policy=@/tmp/basicPolicy.hcl\'', # noqa: E501 + attempts=3, + ), + call( + 'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy policy=@/tmp/validatedPatternDefaultPolicy.hcl\'', # noqa: E501 + attempts=3, + ), + call( + 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | base64 --wrap=0 | vault kv put -mount=secret region-one/config-demo secret=-"', # noqa: E501 + attempts=3, + ), + call( + 'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | base64 --wrap=0 | vault kv put -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret=-"', # noqa: E501 + attempts=3, + ), + ] + print(mock_run_command.mock_calls) + mock_run_command.assert_has_calls(calls) + + +if __name__ == "__main__": + unittest.main() diff --git a/common/ansible/tests/unit/v2/test-file-contents b/common/ansible/tests/unit/v2/test-file-contents new file mode 100644 index 00000000..49c9a88c --- /dev/null +++ b/common/ansible/tests/unit/v2/test-file-contents @@ -0,0 +1 @@ +This space intentionally left blank diff --git a/common/ansible/tests/unit/v2/test-file-contents.b64 b/common/ansible/tests/unit/v2/test-file-contents.b64 new file mode 100644 index 00000000..da896ba7 --- /dev/null +++ b/common/ansible/tests/unit/v2/test-file-contents.b64 @@ -0,0 +1 @@ +VGhpcyBzcGFjZSBpbnRlbnRpb25hbGx5IGxlZnQgYmxhbmsK \ No newline at end of file diff --git a/common/ansible/tests/unit/v2/values-secret-v2-base-k8s-backend.yaml b/common/ansible/tests/unit/v2/values-secret-v2-base-k8s-backend.yaml new file mode 100644 index 00000000..7194ebc3 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-base-k8s-backend.yaml @@ -0,0 +1,9 @@ +version: "2.0" + +backingStore: kubernetes + +secrets: + - name: config-demo + fields: + - name: secret + value: secret diff --git a/common/ansible/tests/unit/v2/values-secret-v2-base-none-backend.yaml b/common/ansible/tests/unit/v2/values-secret-v2-base-none-backend.yaml new file mode 100644 index 00000000..4e1e3cd2 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-base-none-backend.yaml @@ -0,0 +1,11 @@ +version: "2.0" + +backingStore: none + +secrets: + - name: config-demo + targetNamespaces: + - default + fields: + - name: secret + value: secret diff --git a/common/ansible/tests/unit/v2/values-secret-v2-base-unknown-backend.yaml b/common/ansible/tests/unit/v2/values-secret-v2-base-unknown-backend.yaml new file mode 100644 index 00000000..e1f4c6d5 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-base-unknown-backend.yaml @@ -0,0 +1,9 @@ +version: "2.0" + +backingStore: unknown + +secrets: + - name: config-demo + fields: + - name: secret + value: secret diff --git a/common/ansible/tests/unit/v2/values-secret-v2-block-yamlstring.yaml b/common/ansible/tests/unit/v2/values-secret-v2-block-yamlstring.yaml new file mode 100644 index 00000000..84165f69 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-block-yamlstring.yaml @@ -0,0 +1,16 @@ +version: "2.0" + +secrets: + - name: config-demo + fields: + - name: sshprivkey + onMissingValue: error + value: |- + ssh-rsa oNb/kAvwdQl+FKdwzzKo5rnGIB68UOxWoaKPnKdgF/ts67CDBslWGnpUZCpp8TdaxfHmpoyA6nutMwQw8OAMEUybxvilDn+ZVJ/5qgfRBdi8wLKRLTIj0v+ZW7erN9yuZG53xUQAaQjivM3cRyNLIZ9torShYaYwD1UTTDkV97RMfNDlWI5f5FGRvfy429ZfCwbUWUbijrcv/mWc/uO3x/+MBXwa4f8ubzEYlrt4yH/Vbpzs67kE9UJ9z1zurFUFJydy1ZDAdKSiBS91ImI3ccKnbz0lji2bgSYR0Wp1IQhzSpjyJU2rIu9HAEUh85Rwf2jakfLpMcg/hSBer3sG kilroy@example.com + - name: sshpubkey + onMissingValue: error + value: |- + -----BEGIN OPENSSH PRIVATE KEY----- + TtzxGgWrNerAr1hzUqPW2xphF/Aur1rQXSLv4J7frEJxNED6u/eScsNgwJMGXwRx7QYVohh0ARHVhJdUzJK7pEIphi4BGw== + wlo+oQsi828b47SKZB8/K9dbeLlLiXh9/hu47MGpeGHZsKbjAdauncuw+YUDDN2EADJjasNMZHjxYhXKtqDjXTIw1X1n0Q== + -----END OPENSSH PRIVATE KEY----- diff --git a/common/ansible/tests/unit/v2/values-secret-v2-default-annotations.yaml b/common/ansible/tests/unit/v2/values-secret-v2-default-annotations.yaml new file mode 100644 index 00000000..af3e2f9b --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-default-annotations.yaml @@ -0,0 +1,13 @@ +--- +version: "2.0" + +annotations: + test-annotation: 42 + +secrets: + - name: test-secret + fields: + - name: username + value: user + - name: password + value: testpass diff --git a/common/ansible/tests/unit/v2/values-secret-v2-default-labels.yaml b/common/ansible/tests/unit/v2/values-secret-v2-default-labels.yaml new file mode 100644 index 00000000..56af6586 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-default-labels.yaml @@ -0,0 +1,11 @@ +--- +version: "2.0" + +defaultLabels: + testlabel: 4 + +secrets: + - name: test-secret + fields: + - name: username + value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-default-namespace.yaml b/common/ansible/tests/unit/v2/values-secret-v2-default-namespace.yaml new file mode 100644 index 00000000..a0f4db63 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-default-namespace.yaml @@ -0,0 +1,8 @@ +--- +version: "2.0" + +secrets: + test-secret: + fields: + - name: username + value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-file-contents-b64.yaml b/common/ansible/tests/unit/v2/values-secret-v2-file-contents-b64.yaml new file mode 100644 index 00000000..47ed7219 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-file-contents-b64.yaml @@ -0,0 +1,9 @@ +--- +version: "2.0" + +secrets: + - name: test-secret + fields: + - name: username + path: ~/test-file-contents + base64: true diff --git a/common/ansible/tests/unit/v2/values-secret-v2-file-contents-double-b64.yaml b/common/ansible/tests/unit/v2/values-secret-v2-file-contents-double-b64.yaml new file mode 100644 index 00000000..3a968eca --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-file-contents-double-b64.yaml @@ -0,0 +1,9 @@ +--- +version: "2.0" + +secrets: + - name: test-secret + fields: + - name: username + path: ~/test-file-contents.b64 + base64: true diff --git a/common/ansible/tests/unit/v2/values-secret-v2-file-contents.yaml b/common/ansible/tests/unit/v2/values-secret-v2-file-contents.yaml new file mode 100644 index 00000000..e2da90c2 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-file-contents.yaml @@ -0,0 +1,8 @@ +--- +version: "2.0" + +secrets: + - name: test-secret + fields: + - name: username + path: ~/test-file-contents diff --git a/common/ansible/tests/unit/v2/values-secret-v2-generic-onlygenerate.yaml b/common/ansible/tests/unit/v2/values-secret-v2-generic-onlygenerate.yaml new file mode 100644 index 00000000..46992af1 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-generic-onlygenerate.yaml @@ -0,0 +1,33 @@ +version: "2.0" + +vaultPolicies: + basicPolicy: | + length=10 + rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } + rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } + rule "charset" { charset = "0123456789" min-chars = 1 } + + advancedPolicy: | + length=20 + rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } + rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } + rule "charset" { charset = "0123456789" min-chars = 1 } + rule "charset" { charset = "!@#%^&*" min-chars = 1 } + +secrets: + - name: config-demo + targetNamespaces: + - default + vaultMount: foo + vaultPrefixes: + - region-one + - snowflake.blueprints.rhecoeng.com + fields: + - name: secret + onMissingValue: generate + override: true + vaultPolicy: basicPolicy + - name: secret2 + onMissingValue: generate + override: true + vaultPolicy: advancedPolicy diff --git a/common/ansible/tests/unit/v2/values-secret-v2-ini-file-b64.yaml b/common/ansible/tests/unit/v2/values-secret-v2-ini-file-b64.yaml new file mode 100644 index 00000000..ff08d20a --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-ini-file-b64.yaml @@ -0,0 +1,23 @@ +version: "2.0" +secrets: + - name: aws + fields: + - name: aws_access_key_id + ini_file: '~/aws-example.ini' + ini_section: default + ini_key: aws_access_key_id + - name: aws_secret_access_key + ini_file: '~/aws-example.ini' + ini_key: aws_secret_access_key + - name: awsb64 + fields: + - name: aws_access_key_id + ini_file: '~/aws-example.ini' + ini_section: default + ini_key: aws_access_key_id + base64: true + - name: aws_secret_access_key + ini_file: '~/aws-example.ini' + ini_section: default + ini_key: aws_secret_access_key + base64: true diff --git a/common/ansible/tests/unit/v2/values-secret-v2-more-namespaces.yaml b/common/ansible/tests/unit/v2/values-secret-v2-more-namespaces.yaml new file mode 100644 index 00000000..be409af7 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-more-namespaces.yaml @@ -0,0 +1,11 @@ +--- +version: "2.0" + +secrets: + - name: test-secret + targetNamespaces: + - default + - extra + fields: + - name: username + value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-nondefault-namespace.yaml b/common/ansible/tests/unit/v2/values-secret-v2-nondefault-namespace.yaml new file mode 100644 index 00000000..a0f4db63 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-nondefault-namespace.yaml @@ -0,0 +1,8 @@ +--- +version: "2.0" + +secrets: + test-secret: + fields: + - name: username + value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-none-no-targetnamespaces.yaml b/common/ansible/tests/unit/v2/values-secret-v2-none-no-targetnamespaces.yaml new file mode 100644 index 00000000..2a5ef0b6 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-none-no-targetnamespaces.yaml @@ -0,0 +1,33 @@ +version: "2.0" + +backingStore: vault + +vaultPolicies: + basicPolicy: | + length=10 + rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } + rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } + rule "charset" { charset = "0123456789" min-chars = 1 } + + advancedPolicy: | + length=20 + rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } + rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } + rule "charset" { charset = "0123456789" min-chars = 1 } + rule "charset" { charset = "!@#%^&*" min-chars = 1 } + +secrets: + - name: config-demo + vaultMount: foo + vaultPrefixes: + - region-one + - snowflake.blueprints.rhecoeng.com + fields: + - name: secret + onMissingValue: generate + override: true + vaultPolicy: basicPolicy + - name: secret2 + onMissingValue: generate + override: true + vaultPolicy: advancedPolicy diff --git a/common/ansible/tests/unit/v2/values-secret-v2-override-labels.yaml b/common/ansible/tests/unit/v2/values-secret-v2-override-labels.yaml new file mode 100644 index 00000000..13a460be --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-override-labels.yaml @@ -0,0 +1,13 @@ +--- +version: "2.0" + +defaultLabels: + testlabel: 4 + +secrets: + - name: test-secret + labels: + overridelabel: 42 + fields: + - name: username + value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-override-namespace.yaml b/common/ansible/tests/unit/v2/values-secret-v2-override-namespace.yaml new file mode 100644 index 00000000..ad53cf77 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-override-namespace.yaml @@ -0,0 +1,10 @@ +--- +version: "2.0" + +secretStoreNamespace: 'overridden-namespace' + +secrets: + - name: test-secret + fields: + - name: username + value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-override-type-none.yaml b/common/ansible/tests/unit/v2/values-secret-v2-override-type-none.yaml new file mode 100644 index 00000000..1d110671 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-override-type-none.yaml @@ -0,0 +1,14 @@ +--- +version: "2.0" + +# This is the actual default +defaultNamespace: 'validated-patterns-secrets' + +secrets: + - name: test-secret + type: 'user-specified' + targetNamespaces: + - default + fields: + - name: username + value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-override-type.yaml b/common/ansible/tests/unit/v2/values-secret-v2-override-type.yaml new file mode 100644 index 00000000..1bf8e369 --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-override-type.yaml @@ -0,0 +1,12 @@ +--- +version: "2.0" + +# This is the actual default +defaultNamespace: 'validated-patterns-secrets' + +secrets: + - name: test-secret + type: 'user-specified' + fields: + - name: username + value: user diff --git a/common/ansible/tests/unit/v2/values-secret-v2-secret-binary-b64.yaml b/common/ansible/tests/unit/v2/values-secret-v2-secret-binary-b64.yaml new file mode 100644 index 00000000..579c7d6e --- /dev/null +++ b/common/ansible/tests/unit/v2/values-secret-v2-secret-binary-b64.yaml @@ -0,0 +1,10 @@ +version: "2.0" + +secrets: + - name: secret + fields: + - name: secret + # Should contain 8, 6, 7, 5, 3, 0, 9 in binary + path: '/tmp/testbinfile.bin' + onMissingValue: error + base64: true diff --git a/common/clustergroup/Chart.yaml b/common/clustergroup/Chart.yaml index 345b8175..e2d4f98b 100644 --- a/common/clustergroup/Chart.yaml +++ b/common/clustergroup/Chart.yaml @@ -3,4 +3,4 @@ description: A Helm chart to create per-clustergroup ArgoCD applications and any keywords: - pattern name: clustergroup -version: 0.8.2 +version: 0.8.5 diff --git a/common/clustergroup/templates/_helpers.tpl b/common/clustergroup/templates/_helpers.tpl index 83b06a04..5001a06e 100644 --- a/common/clustergroup/templates/_helpers.tpl +++ b/common/clustergroup/templates/_helpers.tpl @@ -22,6 +22,8 @@ Default always defined top-level variables for helm charts value: {{ coalesce $.Values.global.localClusterDomain $.Values.global.hubClusterDomain }} - name: global.privateRepo value: {{ $.Values.global.privateRepo | quote }} +- name: global.experimentalCapabilities + value: {{ $.Values.global.experimentalCapabilities | default "" }} {{- end }} {{/* clustergroup.globalvaluesparameters */}} @@ -70,3 +72,157 @@ Default always defined valueFiles to be included in Applications but with a pref {{- end }} {{/* range $.Values.global.extraValueFiles */}} {{- end }} {{/* if $.Values.global.extraValueFiles */}} {{- end }} {{/* clustergroup.app.globalvalues.prefixedvaluefiles */}} + +{{/* +Helper function to generate AppProject from a map object +Called from common/clustergroup/templates/plumbing/projects.yaml +*/}} +{{- define "clustergroup.template.plumbing.projects.map" -}} +{{- $projects := index . 0 }} +{{- $namespace := index . 1 }} +{{- $enabled := index . 2 }} +{{- range $k, $v := $projects}} +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: {{ $k }} +{{- if (eq $enabled "plumbing") }} + namespace: openshift-gitops +{{- else }} + namespace: {{ $namespace }} +{{- end }} +spec: + description: "Pattern {{ . }}" + destinations: + - namespace: '*' + server: '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' + namespaceResourceWhitelist: + - group: '*' + kind: '*' + sourceRepos: + - '*' +status: {} +--- +{{- end }} +{{- end }} + +{{/* + Helper function to generate AppProject from a list object. + Called from common/clustergroup/templates/plumbing/projects.yaml +*/}} +{{- define "clustergroup.template.plumbing.projects.list" -}} +{{- $projects := index . 0 }} +{{- $namespace := index . 1 }} +{{- $enabled := index . 2 }} +{{- range $projects}} +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: {{ . }} +{{- if (eq $enabled "plumbing") }} + namespace: openshift-gitops +{{- else }} + namespace: {{ $namespace }} +{{- end }} +spec: + description: "Pattern {{ . }}" + destinations: + - namespace: '*' + server: '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' + namespaceResourceWhitelist: + - group: '*' + kind: '*' + sourceRepos: + - '*' +status: {} +{{- end }} +{{- end }} + +{{/* + Helper function to generate Namespaces from a map object. + Arguments passed as a list object are: + 0 - The namespace hash keys + 1 - Pattern name from .Values.global.pattern + 2 - Cluster group name from .Values.clusterGroup.name + Called from common/clustergroup/templates/core/namespaces.yaml +*/}} +{{- define "clustergroup.template.core.namespaces.map" -}} +{{- $ns := index . 0 }} +{{- $patternName := index . 1 }} +{{- $clusterGroupName := index . 2 }} + +{{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ $k }} + {{- if ne $v nil }} + labels: + argocd.argoproj.io/managed-by: {{ $patternName }}-{{ $clusterGroupName }} + {{- if $v.labels }} + {{- range $key, $value := $v.labels }} {{- /* We loop here even though the map has always just one key */}} + {{ $key }}: {{ $value | default "" | quote }} + {{- end }} + {{- end }} + {{- if $v.annotations }} + annotations: + {{- range $key, $value := $v.annotations }} {{- /* We loop through the map to get key/value pairs */}} + {{ $key }}: {{ $value | default "" | quote }} + {{- end }} + {{- end }}{{- /* if $v.annotations */}} + {{- end }} +spec: +--- +{{- end }}{{- /* range $k, $v := $ns */}} +{{- end }} + +{{- /* + Helper function to generate OperatorGroup from a map object. + Arguments passed as a list object are: + 0 - The namespace hash keys + 1 - The operatorExcludes section from .Values.clusterGroup.operatorgroupExcludes + Called from common/clustergroup/templates/core/operatorgroup.yaml +*/ -}} +{{- define "clustergroup.template.core.operatorgroup.map" -}} +{{- $ns := index . 0 }} +{{- $operatorgroupExcludes := index . 1 }} +{{- if or (empty $operatorgroupExcludes) (not (has . $operatorgroupExcludes)) }} + {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} + {{- if $v }} + {{- if or $v.operatorGroup (not (hasKey $v "operatorGroup")) }}{{- /* Checks if the user sets operatorGroup: false */}} +--- +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: {{ $k }}-operator-group + namespace: {{ $k }} +spec: + targetNamespaces: + {{- if (hasKey $v "targetNamespaces") }} + {{- range $v.targetNamespaces }}{{- /* We loop through the list of tergetnamespaces */}} + - {{ . }} + {{- end }}{{- /* End range targetNamespaces */}} + {{- else }} + - {{ $k }} + {{- end }}{{- /* End of if hasKey $v "targetNamespaces" */}} + {{- end }}{{- /* End if $v.operatorGroup */}} + {{- else }}{{- /* else if $v == nil */}} +--- +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: {{ $k }}-operator-group + namespace: {{ $k }} +spec: + targetNamespaces: + - {{ $k }} + {{- end }}{{- /* end if $v */}} + {{- end }}{{- /* End range $k, $v = $ns */}} +{{- end }}{{- /* End of if operatorGroupExcludes */}} +{{- end }} {{- /* End define "clustergroup.template.core.operatorgroup.map" */}} diff --git a/common/clustergroup/templates/core/namespaces.yaml b/common/clustergroup/templates/core/namespaces.yaml index dfa6ae1a..c9a26afb 100644 --- a/common/clustergroup/templates/core/namespaces.yaml +++ b/common/clustergroup/templates/core/namespaces.yaml @@ -1,4 +1,13 @@ {{- if not (eq .Values.enabled "plumbing") }} +{{- /* + We first check if namespaces are defined as a map. If it is we call + our helper function in _helpers.tpl to process the namespaces + described in the values file. This is to support issue + https://github.com/validatedpatterns/common/issues/459 created by our customer. +*/ -}} +{{- if kindIs "map" .Values.clusterGroup.namespaces }} +{{- template "clustergroup.template.core.namespaces.map" (list .Values.clusterGroup.namespaces $.Values.global.pattern $.Values.clusterGroup.name) }} +{{- else }} {{- range $ns := .Values.clusterGroup.namespaces }} apiVersion: v1 kind: Namespace @@ -30,3 +39,4 @@ spec: --- {{- end }} {{- end }} +{{- end }} diff --git a/common/clustergroup/templates/core/operatorgroup.yaml b/common/clustergroup/templates/core/operatorgroup.yaml index cd679bd5..4d8c3014 100644 --- a/common/clustergroup/templates/core/operatorgroup.yaml +++ b/common/clustergroup/templates/core/operatorgroup.yaml @@ -1,4 +1,13 @@ {{- if not (eq .Values.enabled "plumbing") }} +{{- /* + We first check if namespaces are defined as a map. If it is we call + our helper function in _helpers.tpl to process the projects + described in the values file. This is to support issue + https://github.com/validatedpatterns/common/issues/459 created by our customer. +*/ -}} +{{- if kindIs "map" .Values.clusterGroup.namespaces }} +{{- template "clustergroup.template.core.operatorgroup.map" (list .Values.clusterGroup.namespaces .Values.clusterGroup.operatorgroupExcludes) }} +{{- else }} {{- range $ns := .Values.clusterGroup.namespaces }} {{- if or (empty $.Values.clusterGroup.operatorgroupExcludes) (not (has . $.Values.clusterGroup.operatorgroupExcludes)) }} @@ -6,6 +15,7 @@ {{- if kindIs "map" $ns }} {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} {{- if $v.operatorGroup }}{{- /* Checks if the user sets operatorGroup: false */}} +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -23,6 +33,7 @@ spec: {{- end }}{{- /* range $k, $v := $ns */}} {{- end }}{{- /* End of if operatorGroup */}} {{- else if kindIs "string" $ns }} +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -35,4 +46,5 @@ spec: --- {{- end }} {{- /* if or (empty $.Values.clusterGroup.operatorgroupExcludes) (not (has . $.Values.clusterGroup.operatorgroupExcludes)) */}} {{- end }} {{- /* range $ns := .Values.clusterGroup.namespaces */}} +{{- end }} {{- /* if kindIs "map" $ns */}} {{- end }} {{- /* if not (eq .Values.enabled "plumbing") */}} diff --git a/common/clustergroup/templates/imperative/_helpers.tpl b/common/clustergroup/templates/imperative/_helpers.tpl index f75e781e..d55220e4 100644 --- a/common/clustergroup/templates/imperative/_helpers.tpl +++ b/common/clustergroup/templates/imperative/_helpers.tpl @@ -4,6 +4,29 @@ # 3. If it is an http secret, generate the correct URL # 4. If it is an ssh secret, create the private ssh key and make sure the git clone works +{{/* fetch-ca InitContainer */}} +{{- define "imperative.initcontainers.fetch-ca" }} +- name: fetch-ca + image: {{ $.Values.clusterGroup.imperative.image }} + imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }} + env: + - name: HOME + value: /git/home + command: + - 'sh' + - '-c' + - >- + cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt || true; + ls -l /tmp/ca-bundles/ + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles +{{- end }} + {{/* git-init InitContainer */}} {{- define "imperative.initcontainers.gitinit" }} - name: git-init @@ -12,6 +35,9 @@ env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -23,7 +49,6 @@ U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.username | base64decode }}` }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.password | base64decode }}` }}')"; URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode }}` }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -31,17 +56,62 @@ chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; +{{- end }} + +{{/* git-init-ca InitContainer */}} +{{- define "imperative.initcontainers.gitinit-ca" }} +- name: git-init + image: {{ $.Values.clusterGroup.imperative.image }} + imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }} + env: + - name: HOME + value: /git/home volumeMounts: - name: git mountPath: "/git" + - name: ca-bundles + mountPath: /etc/pki/tls/certs + command: + - 'sh' + - '-c' + - >- + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials &> /dev/null; then + URL="{{ $.Values.global.repoURL }}"; + else + if ! oc get secrets -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode}}` }}' &>/dev/null; then + U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.username | base64decode }}` }}')"; + P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.password | base64decode }}` }}')"; + URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); + else + S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{ `{{index .data.sshPrivateKey | base64decode }}` }}')"; + mkdir -p --mode 0700 "${HOME}/.ssh"; + echo "${S}" > "${HOME}/.ssh/id_rsa"; + chmod 0600 "${HOME}/.ssh/id_rsa"; + URL=$(echo {{ $.Values.global.repoURL }} | sed -E "s/(https?:\/\/)/\1git@/"); + git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; + fi; + fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; + mkdir /git/{repo,home}; + git clone --recurse-submodules --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- "${URL}" /git/repo; + chmod 0770 /git/{repo,home}; {{- end }} - {{/* Final done container */}} {{- define "imperative.containers.done" }} - name: "done" @@ -56,6 +126,19 @@ {{- end }} {{/* volume-mounts for all containers */}} +{{- define "imperative.volumemounts_ca" }} +- name: git + mountPath: "/git" +- name: values-volume + mountPath: /values/values.yaml + subPath: values.yaml +- mountPath: /var/run/kube-root-ca + name: kube-root-ca +- mountPath: /var/run/trusted-ca + name: trusted-ca-bundle +- mountPath: /tmp/ca-bundles + name: ca-bundles +{{- end }} {{- define "imperative.volumemounts" }} - name: git mountPath: "/git" @@ -63,3 +146,29 @@ mountPath: /values/values.yaml subPath: values.yaml {{- end }} + +{{/* volumes for all containers */}} +{{- define "imperative.volumes" }} +- name: git + emptyDir: {} +- name: values-volume + configMap: + name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }} +{{- end }} + +{{- define "imperative.volumes_ca" }} +- name: git + emptyDir: {} +- name: values-volume + configMap: + name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }} +- configMap: + name: kube-root-ca.crt + name: kube-root-ca +- configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle +- name: ca-bundles + emptyDir: {} +{{- end }} diff --git a/common/clustergroup/templates/imperative/configmap.yaml b/common/clustergroup/templates/imperative/configmap.yaml index 8ca5a176..9f2d6155 100644 --- a/common/clustergroup/templates/imperative/configmap.yaml +++ b/common/clustergroup/templates/imperative/configmap.yaml @@ -9,4 +9,13 @@ metadata: data: values.yaml: | {{ tpl $valuesyaml . | indent 4 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: {{ $.Values.clusterGroup.imperative.namespace}} + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' {{- end }} diff --git a/common/clustergroup/templates/imperative/job.yaml b/common/clustergroup/templates/imperative/job.yaml index cb092649..0b82d47c 100644 --- a/common/clustergroup/templates/imperative/job.yaml +++ b/common/clustergroup/templates/imperative/job.yaml @@ -1,3 +1,5 @@ +{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }} + {{- if not (eq .Values.enabled "plumbing") }} {{/* Define this if needed (jobs defined */}} {{- if (and $.Values.clusterGroup.imperative (gt (len $.Values.clusterGroup.imperative.jobs) 0)) -}} @@ -22,7 +24,12 @@ spec: initContainers: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there +{{- if $hasInitContainerCapability }} + {{- include "imperative.initcontainers.fetch-ca" . | indent 12 }} + {{- include "imperative.initcontainers.gitinit-ca" . | indent 12 }} +{{- else }} {{- include "imperative.initcontainers.gitinit" . | indent 12 }} +{{- end }} {{- range $.Values.clusterGroup.imperative.jobs }} {{- if ne (.disabled | default "false" | toString | lower ) "true" }} - name: {{ .name }} @@ -53,17 +60,21 @@ spec: {{- end }} - {{ .playbook }} volumeMounts: +{{- if $hasInitContainerCapability }} + {{- include "imperative.volumemounts_ca" . | indent 16 }} +{{- else }} {{- include "imperative.volumemounts" . | indent 16 }} +{{- end }} {{- end }} {{- end }} containers: {{- include "imperative.containers.done" . | indent 12 }} volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }} +{{- if $hasInitContainerCapability }} + {{- include "imperative.volumes_ca" . | indent 12 }} +{{- else }} + {{- include "imperative.volumes" . | indent 12 }} +{{- end }} restartPolicy: Never {{- end }} {{- end }} diff --git a/common/clustergroup/templates/imperative/unsealjob.yaml b/common/clustergroup/templates/imperative/unsealjob.yaml index d0dbc3c7..e0ff2c78 100644 --- a/common/clustergroup/templates/imperative/unsealjob.yaml +++ b/common/clustergroup/templates/imperative/unsealjob.yaml @@ -1,3 +1,8 @@ +{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }} + +{{/* If the backend is not set at all we default to "vault". See https://www.github.com/helm/helm/issues/3308 + why we avoid using the default function */}} +{{- if or (eq .Values.global.secretStore.backend "vault") (not (hasKey .Values.global.secretStore "backend")) }} {{- if not (eq .Values.enabled "plumbing") }} {{- if $.Values.clusterGroup.isHubCluster }} --- @@ -21,7 +26,13 @@ spec: initContainers: # git init happens in /git/repo so that we can set the folder to 0770 permissions # reason for that is ansible refuses to create temporary folders in there +{{- if $hasInitContainerCapability }} + + {{- include "imperative.initcontainers.fetch-ca" . | indent 12 }} + {{- include "imperative.initcontainers.gitinit-ca" . | indent 12 }} +{{- else }} {{- include "imperative.initcontainers.gitinit" . | indent 12 }} +{{- end }} - name: unseal-playbook image: {{ $.Values.clusterGroup.imperative.image }} imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }} @@ -44,15 +55,20 @@ spec: - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init' - "common/ansible/playbooks/vault/vault.yaml" volumeMounts: +{{- if $hasInitContainerCapability }} + {{- include "imperative.volumemounts_ca" . | indent 16 }} +{{- else }} {{- include "imperative.volumemounts" . | indent 16 }} +{{- end }} containers: {{- include "imperative.containers.done" . | indent 12 }} volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }} +{{- if $hasInitContainerCapability }} + {{- include "imperative.volumes_ca" . | indent 12 }} +{{- else }} + {{- include "imperative.volumes" . | indent 12 }} +{{- end }} restartPolicy: Never {{- end }} {{- end }} +{{- end }} diff --git a/common/clustergroup/templates/plumbing/applications.yaml b/common/clustergroup/templates/plumbing/applications.yaml index 3706d839..29db6f39 100644 --- a/common/clustergroup/templates/plumbing/applications.yaml +++ b/common/clustergroup/templates/plumbing/applications.yaml @@ -40,7 +40,7 @@ spec: limit: {{ default 20 $.Values.global.options.applicationRetryLimit }} {{- end }} {{- if .ignoreDifferences }} - ignoreDifferences: {{ .ignoreDifferences | toPrettyJson }} + ignoreDifferences: {{ .ignoreDifferences | toPrettyJson | nindent 2 }} {{- end }} source: repoURL: {{ coalesce .repoURL $.Values.global.repoURL }} @@ -105,7 +105,7 @@ spec: {{- end }} {{- range $k, $v := $.Values.extraParametersNested }} - name: {{ $k }} - value: {{ $v }} + value: {{ printf "%s" $v | quote }} {{- end }} {{- range .overrides }} - name: {{ .name }} @@ -119,6 +119,7 @@ spec: server: {{ coalesce .destinationServer "https://kubernetes.default.svc" }} namespace: {{ coalesce .destinationNamespace .namespace $namespace }} {{- else }} +--- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -184,7 +185,7 @@ spec: {{- end }} {{- range $k, $v := $.Values.extraParametersNested }} - name: {{ $k }} - value: {{ $v }} + value: {{ printf "%s" $v | quote }} {{- end }} {{- range .overrides }} - name: {{ .name }} @@ -251,7 +252,7 @@ spec: {{- end }} {{- range $k, $v := $.Values.extraParametersNested }} - name: {{ $k }} - value: {{ $v }} + value: {{ printf "%s" $v | quote }} {{- end }} {{- range .overrides }} - name: {{ .name }} @@ -280,7 +281,6 @@ spec: retry: limit: {{ default 20 $.Values.global.applicationRetryLimit }} {{- end }}{{- /* .syncPolicy */}} ---- {{- end }}{{- /* if or (.generators) (.generatorFile) (.useGeneratorValues) (.destinationServer) (.destinationNamespace) */}} {{- end }}{{- /* range .Values.clusterGroup.applications */}} {{- end }}{{- /* if not (eq .Values.enabled "core") */}} diff --git a/common/clustergroup/templates/plumbing/argocd.yaml b/common/clustergroup/templates/plumbing/argocd.yaml index b0977e9c..dcce1b4b 100644 --- a/common/clustergroup/templates/plumbing/argocd.yaml +++ b/common/clustergroup/templates/plumbing/argocd.yaml @@ -1,6 +1,8 @@ +{{- $hasInitContainerCapability := and (.Values.global.experimentalCapabilities) (has "initcontainers" (splitList "," .Values.global.experimentalCapabilities)) }} + {{- if (eq .Values.enabled "all") }} {{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }} -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: @@ -68,9 +70,50 @@ spec: rbac: defaultPolicy: role:admin repo: +{{- if $hasInitContainerCapability }} + initContainers: + - command: + - bash + - -c + - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt > /tmp/ca-bundles/ca-bundle.crt || true + image: {{ $.Values.clusterGroup.imperative.image }} + name: fetch-ca + resources: {} + volumeMounts: + - mountPath: /var/run/kube-root-ca + name: kube-root-ca + - mountPath: /var/run/trusted-ca + name: trusted-ca-bundle + - mountPath: /tmp/ca-bundles + name: ca-bundles + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - mountPath: /etc/pki/tls/certs + name: ca-bundles + volumes: + - configMap: + name: kube-root-ca.crt + name: kube-root-ca + - configMap: + name: trusted-ca-bundle + optional: true + name: trusted-ca-bundle + - emptyDir: {} + name: ca-bundles +{{- if len $.Values.clusterGroup.argoCD.initContainers }} +{{ $.Values.clusterGroup.argoCD.initContainers | toPrettyJson }} +{{- end }} +{{- else }} {{- if len $.Values.clusterGroup.argoCD.initContainers }} initContainers: {{ $.Values.clusterGroup.argoCD.initContainers | toPrettyJson }} {{- end }} +{{- end }}{{/* if $hasInitContainerCapability */}} {{- if len $.Values.clusterGroup.argoCD.configManagementPlugins }} sidecarContainers: {{- range $cmp := $.Values.clusterGroup.argoCD.configManagementPlugins }} diff --git a/common/clustergroup/templates/plumbing/projects.yaml b/common/clustergroup/templates/plumbing/projects.yaml index 7f3b8c22..1050f2ee 100644 --- a/common/clustergroup/templates/plumbing/projects.yaml +++ b/common/clustergroup/templates/plumbing/projects.yaml @@ -1,5 +1,14 @@ {{- if not (eq .Values.enabled "core") }} {{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }} +{{- /* + We first check if projects are defined as a map. If it is we call + our helper function in _helpers.tpl to process the projects + described in the values file. This is to support issue + https://github.com/validatedpatterns/common/issues/459 created by our customer. +*/ -}} +{{- if kindIs "map" .Values.clusterGroup.projects }} +{{- template "clustergroup.template.plumbing.projects.map" (list .Values.clusterGroup.projects $namespace $.Values.enabled) }} +{{- else }} {{- range .Values.clusterGroup.projects }} apiVersion: argoproj.io/v1alpha1 kind: AppProject @@ -25,5 +34,6 @@ spec: - '*' status: {} --- -{{- end }} -{{- end }} +{{- end }} {{- /* end range */ -}} +{{- end }} {{- /* end if map */ -}} +{{- end }} {{- /* end if not "core" */ -}} diff --git a/common/clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml b/common/clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml new file mode 100644 index 00000000..8b2a9cde --- /dev/null +++ b/common/clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml @@ -0,0 +1,7 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }} + labels: + config.openshift.io/inject-trusted-cabundle: 'true' diff --git a/common/clustergroup/values.schema.json b/common/clustergroup/values.schema.json index e88fc5a9..071805fe 100644 --- a/common/clustergroup/values.schema.json +++ b/common/clustergroup/values.schema.json @@ -65,6 +65,10 @@ "clusterGroupName": { "type": "string" }, + "experimentalCapabilities": { + "type": "string", + "description": "String to enable certain experimental capabilities in the operator and the framework." + }, "git": { "type": "object", "additionalProperties": false, @@ -153,6 +157,9 @@ }, "options": { "$ref": "#/definitions/Options" + }, + "secretStore": { + "$ref": "#/definitions/GlobalSecretStore" } }, "required": [ @@ -160,6 +167,18 @@ ], "title": "Global" }, + "GlobalSecretStore": { + "type": "object", + "additionalProperties": false, + "properties": { + "backend": { + "type": "string", + "description": "Name of the secrets backend", + "default": "vault" + } + }, + "title": "GlobalSecretsStore" + }, "GlobalGit": { "type": "object", "additionalProperties": true, @@ -239,7 +258,14 @@ "description": "Templated value file paths." }, "namespaces": { - "type": "array", + "anyOf": [ + { + "type": "array" + }, + { + "type": "object" + } + ], "description": "This is the array of namespaces that the VP framework will create. In addition, operator groups will also be created for each namespace.", "items": { "$ref": "#/definitions/Namespaces" @@ -297,7 +323,14 @@ } }, "projects": { - "type": "array", + "anyOf": [ + { + "type": "array" + }, + { + "type": "object" + } + ], "description": "The list of projects that will be created in the ArgoCD instances.", "items": { "type": "string" @@ -336,9 +369,6 @@ "items": { "$ref": "#/definitions/ManagedClusterGroup" } - }, - "externalClusters": { - "type": "array" } }, "required": [ diff --git a/common/clustergroup/values.yaml b/common/clustergroup/values.yaml index bb3a6e27..c74db48c 100644 --- a/common/clustergroup/values.yaml +++ b/common/clustergroup/values.yaml @@ -1,6 +1,8 @@ global: extraValueFiles: [] pattern: common + secretStore: + backend: "vault" targetRevision: main options: useCSV: True diff --git a/common/examples/values-example.yaml b/common/examples/values-example.yaml index 6c006b00..84682e20 100644 --- a/common/examples/values-example.yaml +++ b/common/examples/values-example.yaml @@ -15,6 +15,18 @@ clusterGroup: - /values/{{ .Values.global.clusterPlatform }}.yaml - /values/{{ .Values.global.clusterVersion }}.yaml + # + # You can define namespaces using hashes and not as a list like so: + # namespaces: + # open-cluster-management: + # labels: + # openshift.io/node-selector: "" + # kubernetes.io/os: linux + # annotations: + # openshift.io/cluster-monitoring: "true" + # owner: "namespace owner" + # application-ci: + # You cannot mix list and hashes to define namespaces namespaces: - open-cluster-management: labels: @@ -58,6 +70,12 @@ clusterGroup: name: openshift-pipelines-operator-rh csv: redhat-openshift-pipelines.v1.5.2 + # + # You can define projects using hashes like so: + # projects: + # hub: + # datacenter: + # You cannot mix list and hashes to define projects. projects: - datacenter diff --git a/common/golang-external-secrets/Chart.yaml b/common/golang-external-secrets/Chart.yaml index b60b499c..961f3b29 100644 --- a/common/golang-external-secrets/Chart.yaml +++ b/common/golang-external-secrets/Chart.yaml @@ -6,6 +6,6 @@ name: golang-external-secrets version: 0.0.3 dependencies: - name: external-secrets - version: "0.9.11" + version: "0.9.16" repository: "https://charts.external-secrets.io" #"https://external-secrets.github.io/kubernetes-external-secrets" diff --git a/common/golang-external-secrets/charts/external-secrets-0.9.11.tgz b/common/golang-external-secrets/charts/external-secrets-0.9.11.tgz deleted file mode 100644 index 0f813640..00000000 Binary files a/common/golang-external-secrets/charts/external-secrets-0.9.11.tgz and /dev/null differ diff --git a/common/golang-external-secrets/charts/external-secrets-0.9.16.tgz b/common/golang-external-secrets/charts/external-secrets-0.9.16.tgz new file mode 100644 index 00000000..ca268d84 Binary files /dev/null and b/common/golang-external-secrets/charts/external-secrets-0.9.16.tgz differ diff --git a/common/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml b/common/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml deleted file mode 100644 index fc0b410f..00000000 --- a/common/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-backend - namespace: golang-external-secrets -spec: - provider: - vault: - server: https://vault-vault.{{ .Values.global.hubClusterDomain }} - path: secret - # Version of KV backend - version: v2 -{{- if .Values.golangExternalSecrets.caProvider.enabled }} -{{ if .Values.clusterGroup.isHubCluster }} - caProvider: - type: {{ .Values.golangExternalSecrets.caProvider.vaultHostCluster.type }} - name: {{ .Values.golangExternalSecrets.caProvider.vaultHostCluster.name }} - key: {{ .Values.golangExternalSecrets.caProvider.vaultHostCluster.key }} - namespace: {{ .Values.golangExternalSecrets.caProvider.vaultHostCluster.namespace }} -{{ else }} - caProvider: - type: {{ .Values.golangExternalSecrets.caProvider.vaultClientCluster.type }} - name: {{ .Values.golangExternalSecrets.caProvider.vaultClientCluster.name }} - key: {{ .Values.golangExternalSecrets.caProvider.vaultClientCluster.key }} - namespace: {{ .Values.golangExternalSecrets.caProvider.vaultClientCluster.namespace }} -{{ end }} -{{- end }} - auth: - kubernetes: -{{ if .Values.clusterGroup.isHubCluster }} - mountPath: {{ .Values.mountPath }} - role: {{ .Values.mountRole }} -{{ else }} - mountPath: {{ $.Values.global.clusterDomain }} - role: {{ $.Values.global.clusterDomain }}-role -{{ end }} - secretRef: - name: golang-external-secrets - namespace: golang-external-secrets - key: "token" diff --git a/common/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-role.yaml b/common/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-role.yaml new file mode 100644 index 00000000..05ce87a7 --- /dev/null +++ b/common/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-role.yaml @@ -0,0 +1,22 @@ +{{- if and (eq .Values.global.secretStore.backend "kubernetes") (eq .Values.clusterGroup.isHubCluster true) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ .Values.golangExternalSecrets.kubernetes.remoteNamespace }} + name: golang-external-secrets +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectrulesreviews + verbs: + - create +{{- end }} diff --git a/common/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml b/common/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml new file mode 100644 index 00000000..02128e9a --- /dev/null +++ b/common/golang-external-secrets/templates/kubernetes/golang-external-secrets-hub-secretstore.yaml @@ -0,0 +1,33 @@ +{{- if eq .Values.global.secretStore.backend "kubernetes" }} +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: kubernetes-backend + namespace: golang-external-secrets +spec: + provider: + kubernetes: + remoteNamespace: {{ .Values.golangExternalSecrets.kubernetes.remoteNamespace }} + server: + url: {{ .Values.golangExternalSecrets.kubernetes.server.url }} +{{- if .Values.golangExternalSecrets.caProvider.enabled }} +{{- if .Values.clusterGroup.isHubCluster }} + caProvider: + type: {{ .Values.golangExternalSecrets.caProvider.hostCluster.type }} + name: {{ .Values.golangExternalSecrets.caProvider.hostCluster.name }} + key: {{ .Values.golangExternalSecrets.caProvider.hostCluster.key }} + namespace: {{ .Values.golangExternalSecrets.caProvider.hostCluster.namespace }} +{{- else }} + caProvider: + type: {{ .Values.golangExternalSecrets.caProvider.clientCluster.type }} + name: {{ .Values.golangExternalSecrets.caProvider.clientCluster.name }} + key: {{ .Values.golangExternalSecrets.caProvider.clientCluster.key }} + namespace: {{ .Values.golangExternalSecrets.caProvider.clientCluster.namespace }} +{{- end }} +{{- end }} + auth: + serviceAccount: + name: golang-external-secrets + namespace: golang-external-secrets +{{- end }} diff --git a/common/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml b/common/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml new file mode 100644 index 00000000..59f55086 --- /dev/null +++ b/common/golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml @@ -0,0 +1,43 @@ +{{- if or (eq .Values.global.secretStore.backend "vault") (not (hasKey .Values.global.secretStore "backend")) }} +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vault-backend + namespace: golang-external-secrets +spec: + provider: + vault: + server: https://vault-vault.{{ .Values.global.hubClusterDomain }} + path: secret + # Version of KV backend + version: v2 +{{- if .Values.golangExternalSecrets.caProvider.enabled }} +{{ if .Values.clusterGroup.isHubCluster }} + caProvider: + type: {{ .Values.golangExternalSecrets.caProvider.hostCluster.type }} + name: {{ .Values.golangExternalSecrets.caProvider.hostCluster.name }} + key: {{ .Values.golangExternalSecrets.caProvider.hostCluster.key }} + namespace: {{ .Values.golangExternalSecrets.caProvider.hostCluster.namespace }} +{{ else }} + caProvider: + type: {{ .Values.golangExternalSecrets.caProvider.clientCluster.type }} + name: {{ .Values.golangExternalSecrets.caProvider.clientCluster.name }} + key: {{ .Values.golangExternalSecrets.caProvider.clientCluster.key }} + namespace: {{ .Values.golangExternalSecrets.caProvider.clientCluster.namespace }} +{{ end }} +{{- end }} + auth: + kubernetes: +{{ if .Values.clusterGroup.isHubCluster }} + mountPath: {{ .Values.golangExternalSecrets.vault.mountPath }} + role: {{ .Values.golangExternalSecrets.rbac.rolename }} +{{ else }} + mountPath: {{ $.Values.global.clusterDomain }} + role: {{ $.Values.global.clusterDomain }}-role +{{ end }} + secretRef: + name: golang-external-secrets + namespace: golang-external-secrets + key: "token" +{{- end }} diff --git a/common/golang-external-secrets/values.yaml b/common/golang-external-secrets/values.yaml index 8a37f554..8d30c3df 100644 --- a/common/golang-external-secrets/values.yaml +++ b/common/golang-external-secrets/values.yaml @@ -1,18 +1,25 @@ --- -# Eventually we should aim to move these two under the golangExternalSecrets key -mountPath: "hub" -mountRole: "hub-role" - golangExternalSecrets: - # This controls how ESO connects to vault + rbac: + rolename: "hub-role" + + kubernetes: + remoteNamespace: "validated-patterns-secrets" + server: + url: 'https://kubernetes.default' + + vault: + mountPath: "hub" + + # This controls how ESO connects to vault caProvider: enabled: true # If vault is exposed via a route that is signed by a non internal CA you might want to disable this - vaultHostCluster: + hostCluster: type: ConfigMap name: kube-root-ca.crt key: ca.crt namespace: golang-external-secrets - vaultClientCluster: + clientCluster: type: Secret name: hub-ca key: hub-kube-root-ca.crt @@ -22,15 +29,18 @@ global: hubClusterDomain: hub.example.com clusterDomain: foo.example.com + secretStore: + backend: "vault" + clusterGroup: isHubCluster: true external-secrets: image: - tag: v0.9.11-ubi + tag: v0.9.16-ubi webhook: image: - tag: v0.9.11-ubi + tag: v0.9.16-ubi certController: image: - tag: v0.9.11-ubi + tag: v0.9.16-ubi diff --git a/common/hashicorp-vault/Chart.yaml b/common/hashicorp-vault/Chart.yaml index b9a20124..e1577595 100644 --- a/common/hashicorp-vault/Chart.yaml +++ b/common/hashicorp-vault/Chart.yaml @@ -6,5 +6,5 @@ name: hashicorp-vault version: 0.0.1 dependencies: - name: vault - version: "0.27.0" + version: "0.28.0" repository: "https://helm.releases.hashicorp.com" diff --git a/common/hashicorp-vault/README.md b/common/hashicorp-vault/README.md index 84065ffd..26252b7e 100644 --- a/common/hashicorp-vault/README.md +++ b/common/hashicorp-vault/README.md @@ -10,12 +10,6 @@ ## Patches -### Issue 9136 - -**IMPORTANT**: Due to the fact that 'null' values do not work in helm charts -([GH#9136](https://github.com/helm/helm/issues/9136)), we need to patch the -chart to skip setting the host. - ### Issue 674 In order to be able to use vault ssl we need to patch the helm chart to fix diff --git a/common/hashicorp-vault/charts/vault-0.27.0.tgz b/common/hashicorp-vault/charts/vault-0.27.0.tgz deleted file mode 100644 index 574b3e74..00000000 Binary files a/common/hashicorp-vault/charts/vault-0.27.0.tgz and /dev/null differ diff --git a/common/hashicorp-vault/charts/vault-0.28.0.tgz b/common/hashicorp-vault/charts/vault-0.28.0.tgz new file mode 100644 index 00000000..0e02f376 Binary files /dev/null and b/common/hashicorp-vault/charts/vault-0.28.0.tgz differ diff --git a/common/hashicorp-vault/local-patches/0002-Allow-per-service-annotations.patch b/common/hashicorp-vault/local-patches/0001-Allow-per-service-annotations.patch similarity index 100% rename from common/hashicorp-vault/local-patches/0002-Allow-per-service-annotations.patch rename to common/hashicorp-vault/local-patches/0001-Allow-per-service-annotations.patch diff --git a/common/hashicorp-vault/local-patches/0001-patch-server-route.patch b/common/hashicorp-vault/local-patches/0001-patch-server-route.patch deleted file mode 100644 index edc22c57..00000000 --- a/common/hashicorp-vault/local-patches/0001-patch-server-route.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff -up vault/values.yaml.orig vault/values.yaml ---- vault/values.yaml.orig 2022-09-05 20:42:02.468428184 +0200 -+++ vault/values.yaml 2022-09-05 20:42:05.218435871 +0200 -@@ -406,7 +406,8 @@ server: - - labels: {} - annotations: {} -- host: chart-example.local -+ #host: chart-example.local -+ host: null - # tls will be passed directly to the route's TLS config, which - # can be used to configure other termination methods that terminate - # TLS at the router -diff -up vault/values.schema.json.orig vault/values.schema.json ---- vault/values.schema.json.orig 2022-09-11 21:00:34.834334961 +0200 -+++ vault/values.schema.json 2022-09-11 21:00:57.190368032 +0200 -@@ -838,7 +838,10 @@ - "type": "boolean" - }, - "host": { -- "type": "string" -+ "type": [ -+ "null", -+ "string" -+ ] - }, - "labels": { - "type": "object" diff --git a/common/hashicorp-vault/update-helm-dependency.sh b/common/hashicorp-vault/update-helm-dependency.sh index 76e4ac14..2551d888 100755 --- a/common/hashicorp-vault/update-helm-dependency.sh +++ b/common/hashicorp-vault/update-helm-dependency.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -eu +set -eu -o pipefail # Get the version of the dependency and then unquote it TMPVER=$(sed -e '1,/^version:/ d' "Chart.yaml" | grep "version:" | awk '{ print $2 }') diff --git a/common/hashicorp-vault/values.yaml b/common/hashicorp-vault/values.yaml index 25740d98..fa73a060 100644 --- a/common/hashicorp-vault/values.yaml +++ b/common/hashicorp-vault/values.yaml @@ -48,4 +48,4 @@ vault: termination: "reencrypt" image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.15.2-ubi" + tag: "1.16.1-ubi" diff --git a/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml b/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml index 68be225f..b3d769bb 100644 --- a/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml +++ b/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 name: patterns.gitops.hybrid-cloud-patterns.io spec: group: gitops.hybrid-cloud-patterns.io @@ -31,14 +31,19 @@ spec: description: Pattern is the Schema for the patterns API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -51,9 +56,14 @@ spec: type: string clusterGroupName: type: string + experimentalCapabilities: + description: Comma separated capabilities to enable certain experimental + features + type: string extraParameters: - description: '.Name is dot separated per the helm --set syntax, such - as: global.something.field' + description: |- + .Name is dot separated per the helm --set syntax, such as: + global.something.field items: properties: name: @@ -105,9 +115,9 @@ spec: short-sha''s. Default: HEAD' type: string tokenSecret: - description: Optional. K8s secret name where the info for connecting - to git can be found. The supported secrets are modeled after - the private repositories in argo (https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories) + description: |- + Optional. K8s secret name where the info for connecting to git can be found. The supported secrets are modeled after the + private repositories in argo (https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories) currently ssh and username+password are supported type: string tokenSecretNamespace: @@ -121,18 +131,18 @@ spec: properties: clusterGroupChartGitRevision: default: main - description: The git reference when deploying the clustergroup - helm chart directly from a git repo Defaults to 'main'. (Only - used when developing the clustergroup helm chart) + description: |- + The git reference when deploying the clustergroup helm chart directly from a git repo + Defaults to 'main'. (Only used when developing the clustergroup helm chart) type: string clusterGroupChartVersion: description: Which chart version for the clustergroup helm chart. Defaults to "0.8.*" type: string clusterGroupGitRepoUrl: - description: The url when deploying the clustergroup helm chart - directly from a git repo Defaults to '' which means not used - (Only used when developing the clustergroup helm chart) + description: |- + The url when deploying the clustergroup helm chart directly from a git repo + Defaults to '' which means not used (Only used when developing the clustergroup helm chart) type: string enabled: default: true @@ -160,10 +170,11 @@ spec: type: string applications: items: - description: PatternApplicationInfo defines the Applications Status - for the Pattern. This structure is part of the PatternStatus as - an array The Application Status will be included as part of the - Observed state of Pattern + description: |- + PatternApplicationInfo defines the Applications + Status for the Pattern. + This structure is part of the PatternStatus as an array + The Application Status will be included as part of the Observed state of Pattern properties: healthMessage: type: string diff --git a/common/operator-install/templates/pattern.yaml b/common/operator-install/templates/pattern.yaml index 3dc1948a..ca3234f8 100644 --- a/common/operator-install/templates/pattern.yaml +++ b/common/operator-install/templates/pattern.yaml @@ -13,13 +13,16 @@ spec: tokenSecretNamespace: {{ .Values.main.tokenSecretNamespace }} {{- end }} {{/* if and .Values.main.tokenSecret .Values.main.tokenSecretNamespace */}} gitOpsSpec: - operatorChannel: {{ default "gitops-1.8" .Values.main.gitops.channel }} + operatorChannel: {{ default "gitops-1.12" .Values.main.gitops.channel }} operatorSource: {{ default "redhat-operators" .Values.main.gitops.operatorSource }} multiSourceConfig: enabled: {{ .Values.main.multiSourceConfig.enabled }} {{- if .Values.main.analyticsUUID }} analyticsUUID: {{ .Values.main.analyticsUUID }} {{- end }} {{/* if .Values.main.analyticsUUID */}} +{{- if .Values.main.experimentalCapabilities }} + experimentalCapabilities: {{ .Values.main.experimentalCapabilities }} +{{- end }} {{/* if .Values.main.experimentalCapabilities */}} {{- if .Values.main.extraParameters }} extraParameters: {{- range .Values.main.extraParameters }} diff --git a/common/operator-install/values.yaml b/common/operator-install/values.yaml index 9c2f7386..8ce7fe67 100644 --- a/common/operator-install/values.yaml +++ b/common/operator-install/values.yaml @@ -7,12 +7,16 @@ main: revision: main gitops: - channel: "gitops-1.11" + channel: "gitops-1.12" operatorSource: redhat-operators multiSourceConfig: enabled: false + # String to enable certain experimental capabilities in the operator and the + # framework. Not needed unless you know exactly what you're doing. + experimentalCapabilities: "" + patternsOperator: channel: fast source: community-operators diff --git a/common/reference-output.yaml b/common/reference-output.yaml index dbb4c6dc..54f4052a 100644 --- a/common/reference-output.yaml +++ b/common/reference-output.yaml @@ -112,7 +112,7 @@ metadata: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: "" spec: - channel: gitops-1.8 + channel: gitops-1.12 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/common/scripts/determine-main-clustergroup.sh b/common/scripts/determine-main-clustergroup.sh new file mode 100755 index 00000000..6271dbad --- /dev/null +++ b/common/scripts/determine-main-clustergroup.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +PATTERN_DIR="$1" + +if [ -z "$PATTERN_DIR" ]; then + PATTERN_DIR="." +fi + +CGNAME=$(yq '.main.clusterGroupName' "$PATTERN_DIR/values-global.yaml") + +if [ -z "$CGNAME" ] || [ "$CGNAME" == "null" ]; then + echo "Error - cannot detrmine clusterGroupName" + exit 1 +fi + +echo "$CGNAME" diff --git a/common/scripts/determine-pattern-name.sh b/common/scripts/determine-pattern-name.sh new file mode 100755 index 00000000..fb503fe6 --- /dev/null +++ b/common/scripts/determine-pattern-name.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +PATTERN_DIR="$1" + +if [ -z "$PATTERN_DIR" ]; then + PATTERN_DIR="." +fi + +PATNAME=$(yq '.global.pattern' "$PATTERN_DIR/values-global.yaml" 2>/dev/null) + +if [ -z "$PATNAME" ] || [ "$PATNAME" == "null" ]; then + PATNAME="$(basename "$PWD")" +fi + +echo "$PATNAME" diff --git a/common/scripts/determine-secretstore-backend.sh b/common/scripts/determine-secretstore-backend.sh new file mode 100755 index 00000000..ef784790 --- /dev/null +++ b/common/scripts/determine-secretstore-backend.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +PATTERN_DIR="$1" + +if [ -z "$PATTERN_DIR" ]; then + PATTERN_DIR="." +fi + +BACKEND=$(yq '.global.secretStore.backend' "$PATTERN_DIR/values-global.yaml" 2>/dev/null) + +if [ -z "$BACKEND" -o "$BACKEND" == "null" ]; then + BACKEND="vault" +fi + +echo "$BACKEND" diff --git a/common/scripts/display-secrets-info.sh b/common/scripts/display-secrets-info.sh new file mode 100755 index 00000000..124a3454 --- /dev/null +++ b/common/scripts/display-secrets-info.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash +set -eu + +get_abs_filename() { + # $1 : relative filename + echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" +} + +SCRIPT=$(get_abs_filename "$0") +SCRIPTPATH=$(dirname "${SCRIPT}") +COMMONPATH=$(dirname "${SCRIPTPATH}") +PATTERNPATH=$(dirname "${COMMONPATH}") +ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible" +PLAYBOOKPATH="${ANSIBLEPATH}/playbooks" + +export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg" + +if [ "$#" -ge 1 ]; then + export VALUES_SECRET=$(get_abs_filename "${1}") +fi + +if [[ "$#" == 2 ]]; then + SECRETS_BACKING_STORE="$2" +else + SECRETS_BACKING_STORE="$($SCRIPTPATH/determine-secretstore-backend.sh)" +fi + +PATTERN_NAME=$(basename "`pwd`") + +ansible-playbook -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" -e secrets_backing_store="${SECRETS_BACKING_STORE}" -e override_no_log=false "${PLAYBOOKPATH}/process_secrets/display_secrets_info.yml" diff --git a/common/scripts/load-k8s-secrets.sh b/common/scripts/load-k8s-secrets.sh new file mode 100755 index 00000000..33c2f9a5 --- /dev/null +++ b/common/scripts/load-k8s-secrets.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +set -eu + +get_abs_filename() { + # $1 : relative filename + echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" +} + +SCRIPT=$(get_abs_filename "$0") +SCRIPTPATH=$(dirname "${SCRIPT}") +COMMONPATH=$(dirname "${SCRIPTPATH}") +PATTERNPATH=$(dirname "${COMMONPATH}") +ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible" +PLAYBOOKPATH="${ANSIBLEPATH}/playbooks" +export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg" + +PATTERN_NAME=${1:-$(basename "`pwd`")} + +ansible-playbook -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" "${PLAYBOOKPATH}/k8s_secrets/k8s_secrets.yml" diff --git a/common/scripts/manage-secret-app.sh b/common/scripts/manage-secret-app.sh new file mode 100755 index 00000000..1ea0d0bb --- /dev/null +++ b/common/scripts/manage-secret-app.sh @@ -0,0 +1,49 @@ +#!/bin/sh + +APP=$1 +STATE=$2 + +MAIN_CLUSTERGROUP_FILE="./values-$(common/scripts/determine-main-clustergroup.sh).yaml" +MAIN_CLUSTERGROUP_PROJECT="$(common/scripts/determine-main-clustergroup.sh)" + +case "$APP" in + "vault") + APP_NAME="vault" + NAMESPACE="vault" + PROJECT="$MAIN_CLUSTERGROUP_PROJECT" + CHART_LOCATION="common/hashicorp-vault" + ;; + "golang-external-secrets") + APP_NAME="golang-external-secrets" + NAMESPACE="golang-external-secrets" + PROJECT="$MAIN_CLUSTERGROUP_PROJECT" + CHART_LOCATION="common/golang-external-secrets" + ;; + *) + echo "Error - cannot manage $APP can only manage vault and golang-external-secrets" + exit 1 + ;; +esac + +case "$STATE" in + "present") + common/scripts/manage-secret-namespace.sh "$NAMESPACE" "$STATE" + + RES=$(yq ".clusterGroup.applications[] | select(.path == \"$CHART_LOCATION\")" "$MAIN_CLUSTERGROUP_FILE" 2>/dev/null) + if [ -z "$RES" ]; then + echo "Application with chart location $CHART_LOCATION not found, adding" + yq -i ".clusterGroup.applications.$APP_NAME = { \"name\": \"$APP_NAME\", \"namespace\": \"$NAMESPACE\", \"project\": \"$PROJECT\", \"path\": \"$CHART_LOCATION\" }" "$MAIN_CLUSTERGROUP_FILE" + fi + ;; + "absent") + common/scripts/manage-secret-namespace.sh "$NAMESPACE" "$STATE" + echo "Removing application wth chart location $CHART_LOCATION" + yq -i "del(.clusterGroup.applications[] | select(.path == \"$CHART_LOCATION\"))" "$MAIN_CLUSTERGROUP_FILE" + ;; + *) + echo "$STATE not supported" + exit 1 + ;; +esac + +exit 0 diff --git a/common/scripts/manage-secret-namespace.sh b/common/scripts/manage-secret-namespace.sh new file mode 100755 index 00000000..bcb06742 --- /dev/null +++ b/common/scripts/manage-secret-namespace.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +NAMESPACE=$1 +STATE=$2 + +MAIN_CLUSTERGROUP_FILE="./values-$(common/scripts/determine-main-clustergroup.sh).yaml" +MAIN_CLUSTERGROUP_PROJECT="$(common/scripts/determine-main-clustergroup.sh)" + +case "$STATE" in + "present") + + RES=$(yq ".clusterGroup.namespaces[] | select(. == \"$NAMESPACE\")" "$MAIN_CLUSTERGROUP_FILE" 2>/dev/null) + if [ -z "$RES" ]; then + echo "Namespace $NAMESPACE not found, adding" + yq -i ".clusterGroup.namespaces += [ \"$NAMESPACE\" ]" "$MAIN_CLUSTERGROUP_FILE" + fi + ;; + "absent") + echo "Removing namespace $NAMESPACE" + yq -i "del(.clusterGroup.namespaces[] | select(. == \"$NAMESPACE\"))" "$MAIN_CLUSTERGROUP_FILE" + ;; + *) + echo "$STATE not supported" + exit 1 + ;; +esac + +exit 0 diff --git a/common/scripts/pattern-util.sh b/common/scripts/pattern-util.sh index 745131b5..f7be58c2 100755 --- a/common/scripts/pattern-util.sh +++ b/common/scripts/pattern-util.sh @@ -35,9 +35,10 @@ if [ $(version "${PODMAN_VERSION}") -lt $(version "4.3.0") ]; then PODMAN_ARGS="-v ${HOME}:/root" else # We do not rely on bash's $UID and $GID because on MacOSX $GID is not set + MYNAME=$(id -n -u) MYUID=$(id -u) MYGID=$(id -g) - PODMAN_ARGS="--user ${MYUID}:${MYGID} --userns keep-id:uid=${MYUID},gid=${MYGID}" + PODMAN_ARGS="--passwd-entry ${MYNAME}:x:${MYUID}:${MYGID}:/pattern-home:/bin/bash --user ${MYUID}:${MYGID} --userns keep-id:uid=${MYUID},gid=${MYGID}" fi if [ -n "$KUBECONFIG" ]; then @@ -47,6 +48,16 @@ if [ -n "$KUBECONFIG" ]; then exit 1 fi fi + +# Use /etc/pki by default and try a couple of fallbacks if it does not exist +if [ -d /etc/pki ]; then + PKI_HOST_MOUNT="/etc/pki" +elif [ -d /etc/ssl ]; then + PKI_HOST_MOUNT="/etc/ssl" +else + PKI_HOST_MOUNT="/usr/share/ca-certificates" +fi + # Copy Kubeconfig from current environment. The utilities will pick up ~/.kube/config if set so it's not mandatory # $HOME is mounted as itself for any files that are referenced with absolute paths # $HOME is mounted to /root because the UID in the container is 0 and that's where SSH looks for credentials @@ -54,10 +65,13 @@ fi podman run -it --rm --pull=newer \ --security-opt label=disable \ -e EXTRA_HELM_OPTS \ + -e EXTRA_PLAYBOOK_OPTS \ -e KUBECONFIG \ + -v "${PKI_HOST_MOUNT}":/etc/pki:ro \ -v "${HOME}":"${HOME}" \ -v "${HOME}":/pattern-home \ ${PODMAN_ARGS} \ + ${EXTRA_ARGS} \ -w "$(pwd)" \ "$PATTERN_UTILITY_CONTAINER" \ $@ diff --git a/common/scripts/preview-all.sh b/common/scripts/preview-all.sh index cc7775bf..4bf59322 100755 --- a/common/scripts/preview-all.sh +++ b/common/scripts/preview-all.sh @@ -7,9 +7,19 @@ HUB=$( yq ".main.clusterGroupName" values-global.yaml ) MANAGED_CLUSTERS=$( yq ".clusterGroup.managedClusterGroups.[].name" values-$HUB.yaml ) ALL_CLUSTERS=( $HUB $MANAGED_CLUSTERS ) +CLUSTER_INFO_OUT=$(oc cluster-info 2>&1) +CLUSTER_INFO_RET=$? +if [ $CLUSTER_INFO_RET -ne 0 ]; then + echo "Could not access the cluster:" + echo "${CLUSTER_INFO_OUT}" + exit 1 +fi + for cluster in ${ALL_CLUSTERS[@]}; do - APPS=$( yq ".clusterGroup.applications.[].name" values-$cluster.yaml ) + # We always add clustergroup as it is the entry point and it gets special cased in preview.sh. + APPS="clustergroup $( yq ".clusterGroup.applications.[].name" values-$cluster.yaml )" for app in $APPS; do + printf "# Parsing application $app from cluster $cluster\n" common/scripts/preview.sh $cluster $app $REPO $TARGET_BRANCH done done diff --git a/common/scripts/preview.sh b/common/scripts/preview.sh index 379f240d..b9839c51 100755 --- a/common/scripts/preview.sh +++ b/common/scripts/preview.sh @@ -9,17 +9,35 @@ # - Make output can be included in the YAML. SITE=$1; shift -APP=$1; shift +APPNAME=$1; shift GIT_REPO=$1; shift GIT_BRANCH=$1; shift -chart=$(yq ".clusterGroup.applications.$APP.path" values-$SITE.yaml) -namespace=$(yq ".clusterGroup.applications.$APP.namespace" values-$SITE.yaml) +if [ "${APPNAME}" != "clustergroup" ]; then + # This covers the following case: + # foobar: + # name: foo + # namespace: foo + # project: foo + # path: charts/all/foo + # So we retrieve the actual index ("foobar") given the name attribute of the application + APP=$(yq ".clusterGroup.applications | with_entries(select(.value.name == \"$APPNAME\")) | keys | .[0]" values-$SITE.yaml) + chart=$(yq ".clusterGroup.applications.$APP.path" values-$SITE.yaml) + namespace=$(yq ".clusterGroup.applications.$APP.namespace" values-$SITE.yaml) +else + APP=$APPNAME + chart="common/clustergroup" + namespace="openshift-operators" +fi pattern=$(yq ".global.pattern" values-global.yaml) -platform=$(oc get Infrastructure.config.openshift.io/cluster -o jsonpath='{.spec.platformSpec.type}') -ocpversion=$(oc get clusterversion/version -o jsonpath='{.status.desired.version}' | awk -F. '{print $1"."$2}') -domain=$(oc get Ingress.config.openshift.io/cluster -o jsonpath='{.spec.domain}' | sed 's/^apps.//') +# You can override the default lookups by using OCP_{PLATFORM,VERSION,DOMAIN} +# Note that when using the utility container you need to pass in the above variables +# by export EXTRA_ARGS="-e OCP_PLATFORM -e OCP_VERSION -e OCP_DOMAIN" before +# invoking pattern-util.sh +platform=${OCP_PLATFORM:-$(oc get Infrastructure.config.openshift.io/cluster -o jsonpath='{.spec.platformSpec.type}')} +ocpversion=${OCP_VERSION:-$(oc get clusterversion/version -o jsonpath='{.status.desired.version}' | awk -F. '{print $1"."$2}')} +domain=${OCP_DOMAIN:-$(oc get Ingress.config.openshift.io/cluster -o jsonpath='{.spec.domain}' | sed 's/^apps.//')} function replaceGlobals() { output=$( echo $1 | sed -e 's/ //g' -e 's/\$//g' -e s@^-@@g -e s@\'@@g ) @@ -57,23 +75,34 @@ CLUSTER_OPTS="$CLUSTER_OPTS --set global.clusterPlatform=$platform" sharedValueFiles=$(yq ".clusterGroup.sharedValueFiles" values-$SITE.yaml) appValueFiles=$(yq ".clusterGroup.applications.$APP.extraValueFiles" values-$SITE.yaml) +isKustomize=$(yq ".clusterGroup.applications.$APP.kustomize" values-$SITE.yaml) OVERRIDES=$( getOverrides ) -VALUE_FILES="" +VALUE_FILES="-f values-global.yaml -f values-$SITE.yaml" IFS=$'\n' for line in $sharedValueFiles; do - if [ $line != "null" ]; then - file=$(replaceGlobals $line) - VALUE_FILES="$VALUE_FILES -f $PWD$file" + if [ $line != "null" ] && [ -f $line ]; then + file=$(replaceGlobals $line) + VALUE_FILES="$VALUE_FILES -f $PWD$file" fi done for line in $appValueFiles; do - if [ $line != "null" ]; then - file=$(replaceGlobals $line) - VALUE_FILES="$VALUE_FILES -f $PWD$file" + if [ $line != "null" ] && [ -f $line ]; then + file=$(replaceGlobals $line) + VALUE_FILES="$VALUE_FILES -f $PWD$file" fi done -cmd="helm template $chart --name-template ${APP} -n ${namespace} ${VALUE_FILES} ${OVERRIDES} ${CLUSTER_OPTS}" -eval "$cmd" +if [ $isKustomize == "true" ]; then + kustomizePath=$(yq ".clusterGroup.applications.$APP.path" values-$SITE.yaml) + repoURL=$(yq ".clusterGroup.applications.$APP.repoURL" values-$SITE.yaml) + if [[ $repoURL == http* ]] || [[ $repoURL == git@ ]]; then + kustomizePath="${repoURL}/${kustomizePath}" + fi + cmd="oc kustomize ${kustomizePath}" + eval "$cmd" +else + cmd="helm template $chart --name-template ${APP} -n ${namespace} ${VALUE_FILES} ${OVERRIDES} ${CLUSTER_OPTS}" + eval "$cmd" +fi diff --git a/common/scripts/process-secrets.sh b/common/scripts/process-secrets.sh new file mode 100755 index 00000000..509d6d71 --- /dev/null +++ b/common/scripts/process-secrets.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +set -eu + +get_abs_filename() { + # $1 : relative filename + echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" +} + +SCRIPT=$(get_abs_filename "$0") +SCRIPTPATH=$(dirname "${SCRIPT}") +COMMONPATH=$(dirname "${SCRIPTPATH}") +PATTERNPATH=$(dirname "${COMMONPATH}") +ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible" +PLAYBOOKPATH="${ANSIBLEPATH}/playbooks" +export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg" + +PATTERN_NAME=${1:-$(basename "`pwd`")} +SECRETS_BACKING_STORE="$($SCRIPTPATH/determine-secretstore-backend.sh)" + +ansible-playbook -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" -e secrets_backing_store="${SECRETS_BACKING_STORE}" "${PLAYBOOKPATH}/process_secrets/process_secrets.yml" diff --git a/common/scripts/set-secret-backend.sh b/common/scripts/set-secret-backend.sh new file mode 100755 index 00000000..e07b15bf --- /dev/null +++ b/common/scripts/set-secret-backend.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +BACKEND=$1 + +yq -i ".global.secretStore.backend = \"$BACKEND\"" values-global.yaml diff --git a/common/tests/acm-industrial-edge-factory.expected.yaml b/common/tests/acm-industrial-edge-factory.expected.yaml index 2210b4cf..561fbd7b 100644 --- a/common/tests/acm-industrial-edge-factory.expected.yaml +++ b/common/tests/acm-industrial-edge-factory.expected.yaml @@ -22,6 +22,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/ocp-gitops-policy.yaml @@ -89,6 +90,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -100,7 +110,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.12 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/common/tests/acm-industrial-edge-hub.expected.yaml b/common/tests/acm-industrial-edge-hub.expected.yaml index f9627771..453e8a9e 100644 --- a/common/tests/acm-industrial-edge-hub.expected.yaml +++ b/common/tests/acm-industrial-edge-hub.expected.yaml @@ -215,19 +215,19 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-factory.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-factory.yaml' + - "/values-global.yaml" + - "/values-factory.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -236,18 +236,18 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform value: aws - name: clusterGroup.name value: factory + - name: global.experimentalCapabilities + value: - name: clusterGroup.isHubCluster value: "false" destination: @@ -296,6 +296,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -307,7 +316,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.12 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/common/tests/acm-medical-diagnosis-hub.expected.yaml b/common/tests/acm-medical-diagnosis-hub.expected.yaml index cea5a1dc..8b50de7a 100644 --- a/common/tests/acm-medical-diagnosis-hub.expected.yaml +++ b/common/tests/acm-medical-diagnosis-hub.expected.yaml @@ -206,19 +206,19 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-region-one.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-region-one.yaml' + - "/values-global.yaml" + - "/values-region-one.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -227,18 +227,18 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform value: aws - name: clusterGroup.name value: region-one + - name: global.experimentalCapabilities + value: - name: clusterGroup.isHubCluster value: "false" destination: @@ -287,6 +287,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -298,7 +307,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.12 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/common/tests/acm-naked.expected.yaml b/common/tests/acm-naked.expected.yaml index 5ba9bd60..561fbd7b 100644 --- a/common/tests/acm-naked.expected.yaml +++ b/common/tests/acm-naked.expected.yaml @@ -90,6 +90,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -101,7 +110,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.12 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/common/tests/acm-normal.expected.yaml b/common/tests/acm-normal.expected.yaml index 55553a79..66f1c590 100644 --- a/common/tests/acm-normal.expected.yaml +++ b/common/tests/acm-normal.expected.yaml @@ -609,19 +609,19 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-acm-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml' + - "/values-global.yaml" + - "/values-acm-edge.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -630,18 +630,18 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform value: aws - name: clusterGroup.name value: acm-edge + - name: global.experimentalCapabilities + value: - name: clusterGroup.isHubCluster value: "false" destination: @@ -705,19 +705,19 @@ spec: helm: ignoreMissingValueFiles: true valueFiles: - - "/values-global.yaml" - - "/values-acm-provision-edge.yaml" - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml' - - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' - # We cannot use $.Values.global.clusterVersion because that gets resolved to the - # hub's cluster version, whereas we want to include the spoke cluster version - - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml' + - "/values-global.yaml" + - "/values-acm-provision-edge.yaml" + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' + - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml' + # We cannot use $.Values.global.clusterVersion because that gets resolved to the + # hub's cluster version, whereas we want to include the spoke cluster version + - '/values-{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}.yaml' parameters: - name: global.repoURL - value: $ARGOCD_APP_SOURCE_REPO_URL + value: https://github.com/pattern-clone/mypattern - name: global.targetRevision - value: $ARGOCD_APP_SOURCE_TARGET_REVISION + value: main - name: global.namespace value: $ARGOCD_APP_NAMESPACE - name: global.pattern @@ -726,18 +726,18 @@ spec: value: apps.hub.example.com - name: global.localClusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}' - # Requires ACM 2.6 or higher - name: global.clusterDomain value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}' - # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min) - name: global.clusterVersion - value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}' + value: '{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}' - name: global.localClusterName value: '{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}' - name: global.clusterPlatform value: aws - name: clusterGroup.name value: acm-provision-edge + - name: global.experimentalCapabilities + value: - name: clusterGroup.isHubCluster value: "false" destination: @@ -786,6 +786,15 @@ spec: include: - default object-templates: + - complianceType: mustonlyhave + objectDefinition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: trusted-ca-bundle + namespace: openshift-gitops + labels: + config.openshift.io/inject-trusted-cabundle: 'true' - complianceType: mustonlyhave objectDefinition: # This is an auto-generated file. DO NOT EDIT @@ -797,7 +806,7 @@ spec: labels: operators.coreos.com/openshift-gitops-operator.openshift-operators: '' spec: - channel: gitops-1.8 + channel: gitops-1.12 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/common/tests/clustergroup-industrial-edge-factory.expected.yaml b/common/tests/clustergroup-industrial-edge-factory.expected.yaml index aef52f65..f34b5f18 100644 --- a/common/tests/clustergroup-industrial-edge-factory.expected.yaml +++ b/common/tests/clustergroup-industrial-edge-factory.expected.yaml @@ -186,6 +186,8 @@ data: useCSV: true pattern: mypattern repoURL: https://github.com/pattern-clone/mypattern + secretStore: + backend: vault targetRevision: main main: clusterGroupName: example @@ -196,6 +198,16 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml kind: ConfigMap apiVersion: v1 @@ -228,6 +240,15 @@ data: --set clusterGroup.name=factory --post-renderer ./kustomize"] --- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: mypattern-factory + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -357,6 +378,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -368,7 +392,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -376,15 +399,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -417,12 +442,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-factory + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-factory restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -525,13 +550,15 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: limit: 20 --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: @@ -689,6 +716,7 @@ spec: - manuela-stormshift-line-dashboard --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -699,6 +727,7 @@ spec: - manuela-stormshift-machine-sensor --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/common/tests/clustergroup-industrial-edge-hub.expected.yaml b/common/tests/clustergroup-industrial-edge-hub.expected.yaml index 3fcca694..6641ff73 100644 --- a/common/tests/clustergroup-industrial-edge-hub.expected.yaml +++ b/common/tests/clustergroup-industrial-edge-hub.expected.yaml @@ -347,6 +347,8 @@ data: useCSV: true pattern: mypattern repoURL: https://github.com/pattern-clone/mypattern + secretStore: + backend: vault targetRevision: main main: clusterGroupName: example @@ -357,6 +359,16 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/plumbing/argocd-cmp-plugin-cms.yaml kind: ConfigMap apiVersion: v1 @@ -389,6 +401,15 @@ data: --set clusterGroup.name=datacenter --post-renderer ./kustomize"] --- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: mypattern-datacenter + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -518,6 +539,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -529,7 +553,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -537,15 +560,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -578,12 +603,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-datacenter + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-datacenter restartPolicy: Never --- # Source: clustergroup/templates/imperative/unsealjob.yaml @@ -613,6 +638,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -624,7 +652,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -632,15 +659,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -675,12 +704,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-datacenter + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-datacenter restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -819,6 +848,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "internal.open-cluster-management.io", @@ -882,6 +913,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -936,6 +969,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -990,6 +1025,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "apps", @@ -1074,6 +1111,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1128,6 +1167,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1209,6 +1250,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: - name: global.openshift value: "true" - name: injector.enabled @@ -1233,7 +1276,7 @@ spec: limit: 20 --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: @@ -1391,6 +1434,7 @@ spec: - golang-external-secrets --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1401,6 +1445,7 @@ spec: - external-secrets --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1411,6 +1456,7 @@ spec: - open-cluster-management --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1421,6 +1467,7 @@ spec: - manuela-tst-all --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1431,6 +1478,7 @@ spec: - manuela-ci --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1441,6 +1489,7 @@ spec: - manuela-data-lake --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1451,6 +1500,7 @@ spec: - staging --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml index 5678d8bc..a61ce547 100644 --- a/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml +++ b/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml @@ -306,6 +306,8 @@ data: useCSV: true pattern: mypattern repoURL: https://github.com/pattern-clone/mypattern + secretStore: + backend: vault targetRevision: main main: clusterGroupName: example @@ -316,6 +318,25 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: mypattern-hub + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -445,6 +466,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -456,7 +480,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -464,15 +487,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -505,12 +530,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-hub + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-hub restartPolicy: Never --- # Source: clustergroup/templates/imperative/unsealjob.yaml @@ -540,6 +565,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -551,7 +579,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -559,15 +586,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -602,12 +631,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-hub + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-hub restartPolicy: Never --- # Source: clustergroup/templates/core/subscriptions.yaml @@ -704,6 +733,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -758,6 +789,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -812,6 +845,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -866,6 +901,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -920,6 +957,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -974,6 +1013,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1028,6 +1069,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1082,6 +1125,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: - name: global.openshift value: "true" - name: injector.enabled @@ -1154,6 +1199,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1208,6 +1255,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -1262,6 +1311,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "apps.openshift.io", @@ -1325,6 +1376,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "apps.openshift.io", @@ -1388,13 +1441,15 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: limit: 20 --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: @@ -1526,6 +1581,7 @@ spec: - open-cluster-management --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1536,6 +1592,7 @@ spec: - openshift-serverless --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1546,6 +1603,7 @@ spec: - opendatahub --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1556,6 +1614,7 @@ spec: - openshift-storage --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1566,6 +1625,7 @@ spec: - xraylab-1 --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1576,6 +1636,7 @@ spec: - knative-serving --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1586,6 +1647,7 @@ spec: - staging --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1596,6 +1658,7 @@ spec: - vault --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/common/tests/clustergroup-naked.expected.yaml b/common/tests/clustergroup-naked.expected.yaml index ec8099f3..fdaf4293 100644 --- a/common/tests/clustergroup-naked.expected.yaml +++ b/common/tests/clustergroup-naked.expected.yaml @@ -76,11 +76,32 @@ data: syncPolicy: Automatic useCSV: true pattern: common + secretStore: + backend: vault targetRevision: main secretStore: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: common-example + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -210,6 +231,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -221,7 +245,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -229,15 +252,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -272,16 +297,16 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-example restartPolicy: Never --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: diff --git a/common/tests/clustergroup-normal.expected.yaml b/common/tests/clustergroup-normal.expected.yaml index a3dd7cd4..93f6892a 100644 --- a/common/tests/clustergroup-normal.expected.yaml +++ b/common/tests/clustergroup-normal.expected.yaml @@ -268,6 +268,8 @@ data: useCSV: false pattern: mypattern repoURL: https://github.com/pattern-clone/mypattern + secretStore: + backend: vault targetRevision: main main: clusterGroupName: example @@ -278,6 +280,25 @@ data: kind: ClusterSecretStore name: vault-backend --- +# Source: clustergroup/templates/imperative/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trusted-ca-bundle + namespace: imperative + annotations: + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- +# Source: clustergroup/templates/plumbing/trusted-bundle-ca-configmap.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trusted-ca-bundle + namespace: mypattern-example + labels: + config.openshift.io/inject-trusted-cabundle: 'true' +--- # Source: clustergroup/templates/imperative/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -407,6 +428,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -418,7 +442,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -426,15 +449,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: test image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -467,12 +492,12 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-example restartPolicy: Never --- # Source: clustergroup/templates/imperative/unsealjob.yaml @@ -502,6 +527,9 @@ spec: env: - name: HOME value: /git/home + volumeMounts: + - name: git + mountPath: "/git" command: - 'sh' - '-c' @@ -513,7 +541,6 @@ spec: U="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.username | base64decode }}')"; P="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.password | base64decode }}')"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1${U}:${P}@/"); - echo "USER/PASS: ${URL}"; else S="$(oc get secret -n openshift-gitops vp-private-repo-credentials -o go-template='{{index .data.sshPrivateKey | base64decode }}')"; mkdir -p --mode 0700 "${HOME}/.ssh"; @@ -521,15 +548,17 @@ spec: chmod 0600 "${HOME}/.ssh/id_rsa"; URL=$(echo https://github.com/pattern-clone/mypattern | sed -E "s/(https?:\/\/)/\1git@/"); git config --global core.sshCommand "ssh -i "${HOME}/.ssh/id_rsa" -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; - echo "SSH: ${URL}"; fi; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTP_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.httpsProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export HTTPS_PROXY="${OUT}"; fi; + OUT="$(oc get proxy.config.openshift.io/cluster -o jsonpath='{.spec.noProxy}' 2>/dev/null)"; + if [ -n "${OUT}" ]; then export NO_PROXY="${OUT}"; fi; mkdir /git/{repo,home}; - git clone --single-branch --branch main --depth 1 -- "${URL}" /git/repo; + git clone --recurse-submodules --single-branch --branch main --depth 1 -- "${URL}" /git/repo; chmod 0770 /git/{repo,home}; - volumeMounts: - - name: git - mountPath: "/git" - name: unseal-playbook image: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest imagePullPolicy: Always @@ -564,14 +593,17 @@ spec: - 'echo' - 'done' - '\n' - volumes: - - name: git - emptyDir: {} - - name: values-volume - configMap: - name: helm-values-configmap-example + volumes: + - name: git + emptyDir: {} + - name: values-volume + configMap: + name: helm-values-configmap-example restartPolicy: Never --- +# Source: clustergroup/templates/core/operatorgroup.yaml +--- +--- # Source: clustergroup/templates/core/subscriptions.yaml --- --- @@ -668,6 +700,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: ignoreDifferences: [ { "group": "internal.open-cluster-management.io", @@ -734,6 +768,8 @@ spec: value: apps.region.example.com - name: global.privateRepo value: + - name: global.experimentalCapabilities + value: syncPolicy: automated: {} retry: @@ -980,7 +1016,7 @@ spec: - /status --- # Source: clustergroup/templates/plumbing/argocd.yaml -apiVersion: argoproj.io/v1alpha1 +apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: finalizers: @@ -1102,6 +1138,7 @@ spec: text: 'Example ArgoCD' --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1113,6 +1150,7 @@ spec: - other-namespace --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1122,6 +1160,7 @@ spec: targetNamespaces: --- # Source: clustergroup/templates/core/operatorgroup.yaml +--- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -1132,7 +1171,6 @@ spec: - include-ci --- # Source: clustergroup/templates/core/operatorgroup.yaml ---- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: diff --git a/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml b/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml index d92ef427..f0969200 100644 --- a/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -636,21 +752,31 @@ spec: type: object type: object namespaceSelector: - description: The labels to select by to find the Namespaces to create the ExternalSecrets in. + description: |- + The labels to select by to find the Namespaces to create the ExternalSecrets in. + Deprecated: Use NamespaceSelectors instead. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,10 +788,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + namespaceSelectors: + description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array namespaces: description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. items: @@ -739,7 +916,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +945,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +965,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +984,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +995,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +1034,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +1046,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1170,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1216,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1228,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1239,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1314,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1361,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1377,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1428,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1454,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1494,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1532,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1567,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1612,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1623,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1635,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1700,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1712,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1758,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1782,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1798,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1474,6 +1812,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -1481,26 +1859,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1901,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1985,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1997,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +2084,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2096,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2139,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2184,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2233,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2278,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2290,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2331,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2349,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2431,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2453,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2463,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2492,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2507,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2526,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2537,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2576,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2588,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2666,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2714,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2765,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2777,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2788,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2870,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2297,38 +2919,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2987,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +3002,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,13 +3018,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -2372,6 +3034,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -2382,29 +3087,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2416,24 +3133,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3174,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3192,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3204,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3225,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3236,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3260,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3281,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3304,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2620,6 +3381,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2632,13 +3421,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3447,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3458,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3487,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3552,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3577,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3613,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3655,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3666,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3677,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3718,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2903,6 +3740,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -2916,13 +3817,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3853,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3864,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3910,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3934,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3950,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3035,6 +3964,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -3045,13 +4113,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +4146,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +4178,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +4222,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +4284,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +4342,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +4353,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +4377,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4438,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4480,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4492,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4579,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,43 +4591,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4660,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4695,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4712,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4727,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4825,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4870,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4882,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4923,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4941,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4976,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4994,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +5079,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +5097,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +5134,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +5145,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +5218,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +5246,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +5278,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +5332,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +5360,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +5380,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5398,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5412,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5487,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5514,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5548,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5573,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5613,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5649,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5666,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5712,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5749,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5770,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5785,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5815,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5830,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5853,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5870,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5882,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5896,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5993,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +6020,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +6051,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +6069,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +6094,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +6127,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +6145,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +6177,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +6203,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +6214,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4750,65 +6250,187 @@ spec: namespace: "default" path: /convert --- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: passwords.generators.external-secrets.io + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - - password - kind: Password - listKind: PasswordList - plural: passwords + - githubaccesstoken + kind: GithubAccessToken + listKind: GithubAccessTokenList + plural: githubaccesstokens shortNames: - - password - singular: password + - githubaccesstoken + singular: githubaccesstoken scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: GithubAccessToken generates ghs_ accessToken properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PasswordSpec controls the behavior of the password generator. properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: Length of the password to be generated. Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + appID: type: string - symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat + auth: + description: Auth configures how ESO authenticates with a Github instance. + properties: + privatKey: + properties: + secretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - secretRef + type: object + required: + - privatKey + type: object + installID: + type: string + url: + description: URL configures the Github instance URL. Defaults to https://github.com/. + type: string + required: + - appID + - auth + - installID + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: golang-external-secrets-webhook + namespace: "default" + path: /convert +--- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: passwords.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - password + kind: Password + listKind: PasswordList + plural: passwords + shortNames: + - password + singular: password + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PasswordSpec controls the behavior of the password generator. + properties: + allowRepeat: + default: false + description: set AllowRepeat to true to allow repeating characters. + type: boolean + digits: + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + length: + default: 24 + description: |- + Length of the password to be generated. + Defaults to 24 + type: integer + noUpper: + default: false + description: Set NoUpper to disable uppercase characters + type: boolean + symbolCharacters: + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. + type: string + symbols: + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + required: + - allowRepeat - length - noUpper type: object @@ -4833,7 +6455,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +6480,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4872,6 +6503,13 @@ spec: description: Secret Data that should be pushed to providers items: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -4894,7 +6532,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6555,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6565,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6594,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6630,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5063,6 +6719,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -5092,7 +6755,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5100,6 +6765,13 @@ spec: additionalProperties: additionalProperties: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -5122,13 +6794,17 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -5155,7 +6831,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6860,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6880,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6899,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6910,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6949,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6961,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +7085,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +7131,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +7143,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +7154,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +7229,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +7276,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +7292,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +7343,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +7369,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +7380,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +7409,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +7447,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +7482,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7527,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7538,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7550,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7615,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7627,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7673,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7697,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7713,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5890,6 +7727,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -5897,26 +7774,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7816,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7900,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7912,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7999,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +8011,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +8054,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +8099,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +8148,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +8193,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +8205,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +8246,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +8264,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +8346,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +8368,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +8378,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +8407,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +8422,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +8441,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +8452,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +8491,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +8503,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8581,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8629,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8680,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8692,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8703,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8785,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6713,38 +8834,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8902,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8917,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,13 +8933,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -6788,6 +8949,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -6798,29 +9002,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6832,24 +9048,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +9089,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +9107,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +9119,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +9140,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +9151,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +9175,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +9196,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +9219,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7036,6 +9296,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -7048,13 +9336,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +9362,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +9373,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +9402,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +9467,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +9492,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +9528,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +9570,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +9581,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +9592,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +9633,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7319,6 +9655,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -7332,13 +9732,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9768,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9779,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9825,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9849,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9865,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7451,6 +9879,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -7461,13 +10028,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +10061,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +10093,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +10137,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +10199,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +10257,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +10268,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +10292,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +10353,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +10395,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +10407,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +10494,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,43 +10506,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +10575,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +10610,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +10627,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +10642,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +10740,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +10785,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +10797,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +10838,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +10856,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10891,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10909,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10994,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +11014,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +11053,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +11115,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +11173,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +11184,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +11208,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +11269,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +11311,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +11323,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +11410,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,43 +11422,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +11491,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +11526,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +11543,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +11558,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +11651,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8620,16 +11681,163 @@ spec: namespace: "default" path: /convert --- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: webhooks.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - webhook + kind: Webhook + listKind: WebhookList + plural: webhooks + shortNames: + - webhookl + singular: webhook + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Webhook connects to a third party API server to handle the secrets generation + configuration parameters in spec. + You can specify the server, the token, and additional body parameters. + See documentation for the full API specification for requests and responses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. + properties: + body: + description: Body + type: string + caBundle: + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. + format: byte + type: string + caProvider: + description: The provider for the CA bundle to use to validate webhook server certificate. + properties: + key: + description: The key the value inside of the provider type to use, only used with "Secret" type + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + headers: + additionalProperties: + type: string + description: Headers + type: object + method: + description: Webhook Method + type: string + result: + description: Result formatting + properties: + jsonPath: + description: Json path of return value + type: string + type: object + secrets: + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name + items: + properties: + name: + description: Name of this secret in templates + type: string + secretRef: + description: Secret ref to fill in credentials + properties: + key: + description: The key where the token is found. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + type: object + required: + - name + - secretRef + type: object + type: array + timeout: + description: Timeout + type: string + url: + description: Webhook url to call + type: string + required: + - result + - url + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: golang-external-secrets-webhook + namespace: "default" + path: /convert +--- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +11901,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8739,8 +11947,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "list" @@ -8802,10 +12012,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8829,8 +12039,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "watch" @@ -8842,10 +12054,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8870,8 +12082,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "create" - "delete" @@ -8886,10 +12100,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +12121,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8918,7 +12132,7 @@ roleRef: name: golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -8927,10 +12141,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8938,7 +12152,7 @@ roleRef: name: golang-external-secrets-controller subjects: - name: golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -8961,12 +12175,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9000,12 +12214,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9014,19 +12228,19 @@ roleRef: subjects: - kind: ServiceAccount name: golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9045,12 +12259,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +12276,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +12294,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9108,12 +12322,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +12339,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -9143,7 +12357,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9158,12 +12372,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +12389,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +12407,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -9225,7 +12439,7 @@ spec: secret: secretName: golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: @@ -9273,7 +12487,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9289,7 +12503,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9313,7 +12527,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml b/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml index 43c5d3fc..0ecbf649 100644 --- a/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -636,21 +752,31 @@ spec: type: object type: object namespaceSelector: - description: The labels to select by to find the Namespaces to create the ExternalSecrets in. + description: |- + The labels to select by to find the Namespaces to create the ExternalSecrets in. + Deprecated: Use NamespaceSelectors instead. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,10 +788,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + namespaceSelectors: + description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array namespaces: description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. items: @@ -739,7 +916,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +945,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +965,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +984,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +995,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +1034,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +1046,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1170,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1216,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1228,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1239,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1314,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1361,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1377,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1428,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1454,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1494,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1532,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1567,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1612,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1623,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1635,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1700,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1712,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1758,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1782,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1798,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1474,6 +1812,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -1481,26 +1859,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1901,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1985,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1997,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +2084,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2096,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2139,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2184,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2233,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2278,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2290,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2331,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2349,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2431,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2453,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2463,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2492,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2507,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2526,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2537,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2576,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2588,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2666,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2714,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2765,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2777,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2788,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2870,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2297,38 +2919,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2987,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +3002,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,13 +3018,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -2372,6 +3034,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -2382,29 +3087,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2416,24 +3133,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3174,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3192,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3204,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3225,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3236,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3260,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3281,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3304,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2620,6 +3381,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2632,13 +3421,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3447,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3458,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3487,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3552,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3577,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3613,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3655,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3666,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3677,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3718,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2903,6 +3740,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -2916,13 +3817,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3853,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3864,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3910,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3934,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3950,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3035,6 +3964,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -3045,13 +4113,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +4146,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +4178,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +4222,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +4284,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +4342,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +4353,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +4377,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4438,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4480,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4492,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4579,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,43 +4591,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4660,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4695,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4712,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4727,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4825,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4870,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4882,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4923,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4941,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4976,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4994,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +5079,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +5097,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +5134,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +5145,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +5218,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +5246,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +5278,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +5332,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +5360,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +5380,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5398,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5412,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5487,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5514,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5548,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5573,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5613,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5649,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5666,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5712,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5749,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5770,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5785,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5815,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5830,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5853,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5870,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5882,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5896,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5993,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +6020,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +6051,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +6069,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +6094,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +6127,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +6145,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +6177,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +6203,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +6214,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4750,65 +6250,187 @@ spec: namespace: "default" path: /convert --- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: passwords.generators.external-secrets.io + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - - password - kind: Password - listKind: PasswordList - plural: passwords + - githubaccesstoken + kind: GithubAccessToken + listKind: GithubAccessTokenList + plural: githubaccesstokens shortNames: - - password - singular: password + - githubaccesstoken + singular: githubaccesstoken scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: GithubAccessToken generates ghs_ accessToken properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PasswordSpec controls the behavior of the password generator. properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: Length of the password to be generated. Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + appID: type: string - symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat + auth: + description: Auth configures how ESO authenticates with a Github instance. + properties: + privatKey: + properties: + secretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - secretRef + type: object + required: + - privatKey + type: object + installID: + type: string + url: + description: URL configures the Github instance URL. Defaults to https://github.com/. + type: string + required: + - appID + - auth + - installID + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: golang-external-secrets-webhook + namespace: "default" + path: /convert +--- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: passwords.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - password + kind: Password + listKind: PasswordList + plural: passwords + shortNames: + - password + singular: password + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PasswordSpec controls the behavior of the password generator. + properties: + allowRepeat: + default: false + description: set AllowRepeat to true to allow repeating characters. + type: boolean + digits: + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + length: + default: 24 + description: |- + Length of the password to be generated. + Defaults to 24 + type: integer + noUpper: + default: false + description: Set NoUpper to disable uppercase characters + type: boolean + symbolCharacters: + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. + type: string + symbols: + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + required: + - allowRepeat - length - noUpper type: object @@ -4833,7 +6455,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +6480,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4872,6 +6503,13 @@ spec: description: Secret Data that should be pushed to providers items: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -4894,7 +6532,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6555,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6565,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6594,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6630,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5063,6 +6719,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -5092,7 +6755,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5100,6 +6765,13 @@ spec: additionalProperties: additionalProperties: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -5122,13 +6794,17 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -5155,7 +6831,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6860,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6880,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6899,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6910,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6949,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6961,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +7085,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +7131,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +7143,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +7154,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +7229,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +7276,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +7292,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +7343,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +7369,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +7380,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +7409,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +7447,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +7482,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7527,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7538,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7550,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7615,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7627,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7673,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7697,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7713,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5890,6 +7727,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -5897,26 +7774,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7816,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7900,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7912,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7999,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +8011,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +8054,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +8099,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +8148,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +8193,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +8205,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +8246,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +8264,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +8346,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +8368,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +8378,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +8407,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +8422,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +8441,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +8452,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +8491,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +8503,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8581,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8629,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8680,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8692,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8703,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8785,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6713,38 +8834,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8902,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8917,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,13 +8933,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -6788,6 +8949,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -6798,29 +9002,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6832,24 +9048,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +9089,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +9107,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +9119,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +9140,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +9151,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +9175,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +9196,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +9219,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7036,6 +9296,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -7048,13 +9336,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +9362,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +9373,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +9402,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +9467,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +9492,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +9528,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +9570,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +9581,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +9592,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +9633,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7319,6 +9655,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -7332,13 +9732,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9768,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9779,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9825,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9849,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9865,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7451,6 +9879,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -7461,13 +10028,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +10061,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +10093,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +10137,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +10199,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +10257,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +10268,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +10292,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +10353,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +10395,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +10407,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +10494,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,43 +10506,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +10575,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +10610,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +10627,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +10642,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +10740,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +10785,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +10797,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +10838,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +10856,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10891,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10909,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10994,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +11014,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +11053,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +11115,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +11173,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +11184,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +11208,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +11269,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +11311,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +11323,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +11410,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,43 +11422,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +11491,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +11526,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +11543,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +11558,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +11651,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8620,16 +11681,163 @@ spec: namespace: "default" path: /convert --- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: webhooks.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - webhook + kind: Webhook + listKind: WebhookList + plural: webhooks + shortNames: + - webhookl + singular: webhook + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Webhook connects to a third party API server to handle the secrets generation + configuration parameters in spec. + You can specify the server, the token, and additional body parameters. + See documentation for the full API specification for requests and responses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. + properties: + body: + description: Body + type: string + caBundle: + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. + format: byte + type: string + caProvider: + description: The provider for the CA bundle to use to validate webhook server certificate. + properties: + key: + description: The key the value inside of the provider type to use, only used with "Secret" type + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + headers: + additionalProperties: + type: string + description: Headers + type: object + method: + description: Webhook Method + type: string + result: + description: Result formatting + properties: + jsonPath: + description: Json path of return value + type: string + type: object + secrets: + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name + items: + properties: + name: + description: Name of this secret in templates + type: string + secretRef: + description: Secret ref to fill in credentials + properties: + key: + description: The key where the token is found. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + type: object + required: + - name + - secretRef + type: object + type: array + timeout: + description: Timeout + type: string + url: + description: Webhook url to call + type: string + required: + - result + - url + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: golang-external-secrets-webhook + namespace: "default" + path: /convert +--- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +11901,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8739,8 +11947,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "list" @@ -8802,10 +12012,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8829,8 +12039,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "watch" @@ -8842,10 +12054,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8870,8 +12082,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "create" - "delete" @@ -8886,10 +12100,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +12121,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8918,7 +12132,7 @@ roleRef: name: golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -8927,10 +12141,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8938,7 +12152,7 @@ roleRef: name: golang-external-secrets-controller subjects: - name: golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -8961,12 +12175,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9000,12 +12214,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9014,19 +12228,19 @@ roleRef: subjects: - kind: ServiceAccount name: golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9045,12 +12259,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +12276,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +12294,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9108,12 +12322,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +12339,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -9143,7 +12357,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9158,12 +12372,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +12389,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +12407,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -9225,7 +12439,7 @@ spec: secret: secretName: golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: @@ -9273,7 +12487,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9289,7 +12503,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9313,7 +12527,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml b/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml index 43c5d3fc..0ecbf649 100644 --- a/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -636,21 +752,31 @@ spec: type: object type: object namespaceSelector: - description: The labels to select by to find the Namespaces to create the ExternalSecrets in. + description: |- + The labels to select by to find the Namespaces to create the ExternalSecrets in. + Deprecated: Use NamespaceSelectors instead. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,10 +788,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + namespaceSelectors: + description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array namespaces: description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. items: @@ -739,7 +916,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +945,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +965,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +984,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +995,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +1034,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +1046,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1170,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1216,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1228,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1239,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1314,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1361,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1377,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1428,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1454,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1494,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1532,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1567,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1612,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1623,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1635,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1700,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1712,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1758,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1782,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1798,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1474,6 +1812,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -1481,26 +1859,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1901,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1985,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1997,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +2084,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2096,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2139,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2184,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2233,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2278,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2290,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2331,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2349,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2431,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2453,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2463,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2492,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2507,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2526,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2537,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2576,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2588,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2666,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2714,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2765,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2777,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2788,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2870,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2297,38 +2919,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2987,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +3002,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,13 +3018,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -2372,6 +3034,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -2382,29 +3087,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2416,24 +3133,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3174,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3192,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3204,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3225,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3236,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3260,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3281,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3304,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2620,6 +3381,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2632,13 +3421,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3447,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3458,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3487,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3552,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3577,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3613,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3655,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3666,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3677,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3718,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2903,6 +3740,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -2916,13 +3817,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3853,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3864,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3910,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3934,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3950,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3035,6 +3964,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -3045,13 +4113,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +4146,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +4178,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +4222,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +4284,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +4342,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +4353,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +4377,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4438,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4480,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4492,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4579,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,43 +4591,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4660,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4695,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4712,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4727,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4825,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4870,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4882,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4923,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4941,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4976,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4994,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +5079,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +5097,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +5134,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +5145,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +5218,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +5246,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +5278,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +5332,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +5360,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +5380,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5398,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5412,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5487,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5514,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5548,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5573,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5613,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5649,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5666,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5712,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5749,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5770,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5785,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5815,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5830,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5853,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5870,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5882,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5896,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5993,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +6020,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +6051,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +6069,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +6094,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +6127,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +6145,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +6177,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +6203,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +6214,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4750,65 +6250,187 @@ spec: namespace: "default" path: /convert --- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: passwords.generators.external-secrets.io + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - - password - kind: Password - listKind: PasswordList - plural: passwords + - githubaccesstoken + kind: GithubAccessToken + listKind: GithubAccessTokenList + plural: githubaccesstokens shortNames: - - password - singular: password + - githubaccesstoken + singular: githubaccesstoken scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: GithubAccessToken generates ghs_ accessToken properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PasswordSpec controls the behavior of the password generator. properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: Length of the password to be generated. Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + appID: type: string - symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat + auth: + description: Auth configures how ESO authenticates with a Github instance. + properties: + privatKey: + properties: + secretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - secretRef + type: object + required: + - privatKey + type: object + installID: + type: string + url: + description: URL configures the Github instance URL. Defaults to https://github.com/. + type: string + required: + - appID + - auth + - installID + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: golang-external-secrets-webhook + namespace: "default" + path: /convert +--- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: passwords.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - password + kind: Password + listKind: PasswordList + plural: passwords + shortNames: + - password + singular: password + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PasswordSpec controls the behavior of the password generator. + properties: + allowRepeat: + default: false + description: set AllowRepeat to true to allow repeating characters. + type: boolean + digits: + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + length: + default: 24 + description: |- + Length of the password to be generated. + Defaults to 24 + type: integer + noUpper: + default: false + description: Set NoUpper to disable uppercase characters + type: boolean + symbolCharacters: + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. + type: string + symbols: + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + required: + - allowRepeat - length - noUpper type: object @@ -4833,7 +6455,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +6480,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4872,6 +6503,13 @@ spec: description: Secret Data that should be pushed to providers items: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -4894,7 +6532,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6555,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6565,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6594,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6630,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5063,6 +6719,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -5092,7 +6755,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5100,6 +6765,13 @@ spec: additionalProperties: additionalProperties: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -5122,13 +6794,17 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -5155,7 +6831,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6860,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6880,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6899,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6910,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6949,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6961,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +7085,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +7131,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +7143,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +7154,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +7229,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +7276,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +7292,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +7343,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +7369,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +7380,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +7409,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +7447,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +7482,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7527,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7538,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7550,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7615,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7627,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7673,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7697,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7713,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5890,6 +7727,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -5897,26 +7774,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7816,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7900,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7912,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7999,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +8011,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +8054,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +8099,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +8148,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +8193,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +8205,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +8246,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +8264,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +8346,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +8368,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +8378,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +8407,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +8422,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +8441,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +8452,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +8491,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +8503,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8581,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8629,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8680,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8692,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8703,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8785,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6713,38 +8834,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8902,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8917,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,13 +8933,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -6788,6 +8949,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -6798,29 +9002,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6832,24 +9048,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +9089,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +9107,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +9119,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +9140,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +9151,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +9175,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +9196,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +9219,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7036,6 +9296,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -7048,13 +9336,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +9362,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +9373,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +9402,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +9467,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +9492,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +9528,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +9570,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +9581,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +9592,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +9633,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7319,6 +9655,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -7332,13 +9732,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9768,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9779,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9825,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9849,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9865,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7451,6 +9879,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -7461,13 +10028,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +10061,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +10093,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +10137,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +10199,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +10257,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +10268,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +10292,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +10353,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +10395,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +10407,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +10494,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,43 +10506,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +10575,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +10610,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +10627,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +10642,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +10740,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +10785,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +10797,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +10838,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +10856,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10891,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10909,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10994,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +11014,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +11053,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +11115,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +11173,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +11184,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +11208,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +11269,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +11311,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +11323,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +11410,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,43 +11422,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +11491,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +11526,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +11543,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +11558,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +11651,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8620,16 +11681,163 @@ spec: namespace: "default" path: /convert --- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: webhooks.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - webhook + kind: Webhook + listKind: WebhookList + plural: webhooks + shortNames: + - webhookl + singular: webhook + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Webhook connects to a third party API server to handle the secrets generation + configuration parameters in spec. + You can specify the server, the token, and additional body parameters. + See documentation for the full API specification for requests and responses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. + properties: + body: + description: Body + type: string + caBundle: + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. + format: byte + type: string + caProvider: + description: The provider for the CA bundle to use to validate webhook server certificate. + properties: + key: + description: The key the value inside of the provider type to use, only used with "Secret" type + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + headers: + additionalProperties: + type: string + description: Headers + type: object + method: + description: Webhook Method + type: string + result: + description: Result formatting + properties: + jsonPath: + description: Json path of return value + type: string + type: object + secrets: + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name + items: + properties: + name: + description: Name of this secret in templates + type: string + secretRef: + description: Secret ref to fill in credentials + properties: + key: + description: The key where the token is found. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + type: object + required: + - name + - secretRef + type: object + type: array + timeout: + description: Timeout + type: string + url: + description: Webhook url to call + type: string + required: + - result + - url + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: golang-external-secrets-webhook + namespace: "default" + path: /convert +--- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +11901,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8739,8 +11947,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "list" @@ -8802,10 +12012,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8829,8 +12039,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "watch" @@ -8842,10 +12054,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8870,8 +12082,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "create" - "delete" @@ -8886,10 +12100,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +12121,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8918,7 +12132,7 @@ roleRef: name: golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -8927,10 +12141,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8938,7 +12152,7 @@ roleRef: name: golang-external-secrets-controller subjects: - name: golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -8961,12 +12175,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9000,12 +12214,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9014,19 +12228,19 @@ roleRef: subjects: - kind: ServiceAccount name: golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9045,12 +12259,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +12276,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +12294,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9108,12 +12322,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +12339,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -9143,7 +12357,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9158,12 +12372,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +12389,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +12407,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -9225,7 +12439,7 @@ spec: secret: secretName: golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: @@ -9273,7 +12487,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9289,7 +12503,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9313,7 +12527,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/common/tests/golang-external-secrets-naked.expected.yaml b/common/tests/golang-external-secrets-naked.expected.yaml index 6b9d3030..55750256 100644 --- a/common/tests/golang-external-secrets-naked.expected.yaml +++ b/common/tests/golang-external-secrets-naked.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -636,21 +752,31 @@ spec: type: object type: object namespaceSelector: - description: The labels to select by to find the Namespaces to create the ExternalSecrets in. + description: |- + The labels to select by to find the Namespaces to create the ExternalSecrets in. + Deprecated: Use NamespaceSelectors instead. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,10 +788,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + namespaceSelectors: + description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array namespaces: description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. items: @@ -739,7 +916,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +945,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +965,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +984,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +995,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +1034,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +1046,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1170,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1216,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1228,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1239,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1314,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1361,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1377,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1428,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1454,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1494,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1532,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1567,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1612,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1623,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1635,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1700,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1712,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1758,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1782,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1798,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1474,6 +1812,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -1481,26 +1859,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1901,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1985,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1997,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +2084,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2096,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2139,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2184,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2233,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2278,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2290,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2331,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2349,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2431,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2453,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2463,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2492,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2507,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2526,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2537,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2576,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2588,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2666,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2714,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2765,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2777,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2788,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2870,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2297,38 +2919,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2987,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +3002,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,13 +3018,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -2372,6 +3034,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -2382,29 +3087,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2416,24 +3133,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3174,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3192,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3204,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3225,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3236,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3260,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3281,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3304,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2620,6 +3381,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2632,13 +3421,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3447,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3458,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3487,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3552,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3577,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3613,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3655,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3666,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3677,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3718,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2903,6 +3740,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -2916,13 +3817,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3853,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3864,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3910,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3934,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3950,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3035,6 +3964,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -3045,13 +4113,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +4146,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +4178,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +4222,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +4284,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +4342,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +4353,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +4377,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4438,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4480,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4492,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4579,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,43 +4591,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4660,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4695,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4712,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4727,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4825,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4870,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4882,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4923,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4941,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4976,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4994,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +5079,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +5097,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +5134,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +5145,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +5218,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +5246,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +5278,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +5332,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +5360,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +5380,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5398,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5412,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5487,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5514,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5548,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5573,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5613,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5649,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5666,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5712,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5749,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5770,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5785,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5815,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5830,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5853,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5870,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5882,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5896,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5993,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +6020,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +6051,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +6069,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +6094,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +6127,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +6145,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +6177,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +6203,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +6214,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4750,65 +6250,187 @@ spec: namespace: "default" path: /convert --- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: passwords.generators.external-secrets.io + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - - password - kind: Password - listKind: PasswordList - plural: passwords + - githubaccesstoken + kind: GithubAccessToken + listKind: GithubAccessTokenList + plural: githubaccesstokens shortNames: - - password - singular: password + - githubaccesstoken + singular: githubaccesstoken scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: GithubAccessToken generates ghs_ accessToken properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PasswordSpec controls the behavior of the password generator. properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: Length of the password to be generated. Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + appID: type: string - symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat + auth: + description: Auth configures how ESO authenticates with a Github instance. + properties: + privatKey: + properties: + secretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - secretRef + type: object + required: + - privatKey + type: object + installID: + type: string + url: + description: URL configures the Github instance URL. Defaults to https://github.com/. + type: string + required: + - appID + - auth + - installID + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: golang-external-secrets-webhook + namespace: "default" + path: /convert +--- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: passwords.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - password + kind: Password + listKind: PasswordList + plural: passwords + shortNames: + - password + singular: password + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PasswordSpec controls the behavior of the password generator. + properties: + allowRepeat: + default: false + description: set AllowRepeat to true to allow repeating characters. + type: boolean + digits: + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + length: + default: 24 + description: |- + Length of the password to be generated. + Defaults to 24 + type: integer + noUpper: + default: false + description: Set NoUpper to disable uppercase characters + type: boolean + symbolCharacters: + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. + type: string + symbols: + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + required: + - allowRepeat - length - noUpper type: object @@ -4833,7 +6455,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +6480,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4872,6 +6503,13 @@ spec: description: Secret Data that should be pushed to providers items: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -4894,7 +6532,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6555,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6565,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6594,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6630,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5063,6 +6719,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -5092,7 +6755,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5100,6 +6765,13 @@ spec: additionalProperties: additionalProperties: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -5122,13 +6794,17 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -5155,7 +6831,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6860,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6880,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6899,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6910,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6949,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6961,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +7085,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +7131,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +7143,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +7154,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +7229,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +7276,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +7292,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +7343,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +7369,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +7380,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +7409,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +7447,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +7482,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7527,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7538,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7550,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7615,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7627,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7673,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7697,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7713,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5890,6 +7727,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -5897,26 +7774,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7816,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7900,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7912,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7999,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +8011,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +8054,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +8099,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +8148,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +8193,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +8205,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +8246,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +8264,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +8346,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +8368,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +8378,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +8407,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +8422,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +8441,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +8452,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +8491,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +8503,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8581,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8629,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8680,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8692,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8703,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8785,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6713,38 +8834,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8902,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8917,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,13 +8933,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -6788,6 +8949,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -6798,29 +9002,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6832,24 +9048,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +9089,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +9107,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +9119,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +9140,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +9151,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +9175,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +9196,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +9219,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7036,6 +9296,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -7048,13 +9336,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +9362,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +9373,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +9402,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +9467,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +9492,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +9528,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +9570,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +9581,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +9592,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +9633,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7319,6 +9655,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -7332,13 +9732,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9768,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9779,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9825,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9849,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9865,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7451,6 +9879,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -7461,13 +10028,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +10061,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +10093,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +10137,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +10199,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +10257,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +10268,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +10292,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +10353,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +10395,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +10407,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +10494,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,43 +10506,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +10575,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +10610,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +10627,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +10642,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +10740,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +10785,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +10797,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +10838,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +10856,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10891,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10909,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10994,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +11014,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +11053,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +11115,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +11173,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +11184,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +11208,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +11269,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +11311,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +11323,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +11410,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,43 +11422,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +11491,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +11526,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +11543,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +11558,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +11651,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8620,16 +11681,163 @@ spec: namespace: "default" path: /convert --- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: webhooks.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - webhook + kind: Webhook + listKind: WebhookList + plural: webhooks + shortNames: + - webhookl + singular: webhook + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Webhook connects to a third party API server to handle the secrets generation + configuration parameters in spec. + You can specify the server, the token, and additional body parameters. + See documentation for the full API specification for requests and responses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. + properties: + body: + description: Body + type: string + caBundle: + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. + format: byte + type: string + caProvider: + description: The provider for the CA bundle to use to validate webhook server certificate. + properties: + key: + description: The key the value inside of the provider type to use, only used with "Secret" type + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + headers: + additionalProperties: + type: string + description: Headers + type: object + method: + description: Webhook Method + type: string + result: + description: Result formatting + properties: + jsonPath: + description: Json path of return value + type: string + type: object + secrets: + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name + items: + properties: + name: + description: Name of this secret in templates + type: string + secretRef: + description: Secret ref to fill in credentials + properties: + key: + description: The key where the token is found. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + type: object + required: + - name + - secretRef + type: object + type: array + timeout: + description: Timeout + type: string + url: + description: Webhook url to call + type: string + required: + - result + - url + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: golang-external-secrets-webhook + namespace: "default" + path: /convert +--- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +11901,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8739,8 +11947,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "list" @@ -8802,10 +12012,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8829,8 +12039,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "watch" @@ -8842,10 +12054,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8870,8 +12082,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "create" - "delete" @@ -8886,10 +12100,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +12121,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8918,7 +12132,7 @@ roleRef: name: golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -8927,10 +12141,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8938,7 +12152,7 @@ roleRef: name: golang-external-secrets-controller subjects: - name: golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -8961,12 +12175,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9000,12 +12214,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9014,19 +12228,19 @@ roleRef: subjects: - kind: ServiceAccount name: golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9045,12 +12259,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +12276,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +12294,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9108,12 +12322,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +12339,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -9143,7 +12357,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9158,12 +12372,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +12389,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +12407,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -9225,7 +12439,7 @@ spec: secret: secretName: golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: @@ -9273,7 +12487,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9289,7 +12503,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9313,7 +12527,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/common/tests/golang-external-secrets-normal.expected.yaml b/common/tests/golang-external-secrets-normal.expected.yaml index 43c5d3fc..0ecbf649 100644 --- a/common/tests/golang-external-secrets-normal.expected.yaml +++ b/common/tests/golang-external-secrets-normal.expected.yaml @@ -4,12 +4,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -17,12 +17,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -30,12 +30,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -43,12 +43,12 @@ apiVersion: v1 kind: Secret metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,7 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -85,18 +85,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -111,32 +132,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -147,10 +178,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -158,7 +194,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -167,7 +205,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -175,10 +217,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. @@ -208,7 +263,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -239,10 +294,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -273,7 +337,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -311,14 +377,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -338,7 +413,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -353,11 +430,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -395,7 +476,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -430,11 +513,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -447,10 +534,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -458,7 +549,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -482,7 +579,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -495,13 +594,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -513,11 +617,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -526,7 +634,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -536,7 +646,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -547,7 +660,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -636,21 +752,31 @@ spec: type: object type: object namespaceSelector: - description: The labels to select by to find the Namespaces to create the ExternalSecrets in. + description: |- + The labels to select by to find the Namespaces to create the ExternalSecrets in. + Deprecated: Use NamespaceSelectors instead. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -662,10 +788,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + namespaceSelectors: + description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array namespaces: description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. items: @@ -739,7 +916,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -768,10 +945,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -779,7 +965,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -796,7 +984,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -805,23 +995,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -829,7 +1034,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -839,51 +1046,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -942,26 +1170,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -980,7 +1216,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -989,7 +1228,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -997,39 +1239,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1060,32 +1314,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1095,10 +1361,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1106,7 +1377,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1155,13 +1428,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1177,7 +1454,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1185,7 +1465,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1212,13 +1494,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1246,13 +1532,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1277,29 +1567,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1310,7 +1612,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1318,7 +1623,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1328,16 +1635,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1387,7 +1700,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1396,26 +1712,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1434,13 +1758,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -1451,10 +1782,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1462,7 +1798,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1474,6 +1812,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -1481,26 +1859,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1509,55 +1901,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1565,7 +1985,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1575,55 +1997,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1631,7 +2084,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1641,27 +2096,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -1671,18 +2139,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1708,23 +2184,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1740,7 +2233,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1781,7 +2278,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1791,13 +2290,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1828,13 +2331,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1842,16 +2349,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1918,10 +2431,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1931,7 +2453,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1939,16 +2463,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1960,7 +2492,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1972,7 +2507,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1989,7 +2526,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1998,23 +2537,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2022,7 +2576,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2032,51 +2588,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2089,7 +2666,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2135,26 +2714,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2178,7 +2765,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -2187,7 +2777,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2195,52 +2788,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2258,10 +2870,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -2297,38 +2919,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -2336,7 +2987,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -2347,10 +3002,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2358,13 +3018,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -2372,6 +3034,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -2382,29 +3087,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2416,24 +3133,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2441,7 +3174,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2457,7 +3192,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -2466,7 +3204,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2485,7 +3225,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -2494,13 +3236,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2514,13 +3260,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2531,10 +3281,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -2550,16 +3304,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2620,6 +3381,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2632,13 +3421,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2654,7 +3447,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2662,7 +3458,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2689,13 +3487,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2750,13 +3552,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2771,16 +3577,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2801,29 +3613,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2831,7 +3655,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2839,7 +3666,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2848,16 +3677,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2883,7 +3718,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2903,6 +3740,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -2916,13 +3817,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2948,7 +3853,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2957,26 +3864,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2995,13 +3910,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -3012,10 +3934,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3023,7 +3950,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3035,6 +3964,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -3045,13 +4113,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3074,13 +4146,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -3102,16 +4178,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3140,39 +4222,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3180,37 +4284,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -3222,7 +4342,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3230,7 +4353,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3252,39 +4377,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3298,25 +4438,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3324,7 +4480,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3334,55 +4492,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3390,7 +4579,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -3400,43 +4591,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -3444,23 +4660,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -3468,7 +4695,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3481,7 +4712,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -3494,23 +4727,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -3526,7 +4825,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -3567,7 +4870,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -3577,13 +4882,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -3614,13 +4923,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3628,16 +4941,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3657,13 +4976,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3671,16 +4994,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3750,7 +5079,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3768,13 +5097,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3790,7 +5134,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -3798,52 +5145,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -3852,7 +5218,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region @@ -3878,7 +5246,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3910,10 +5278,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3955,7 +5332,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -3981,13 +5360,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -3996,11 +5380,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -4010,7 +5398,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4021,7 +5412,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4093,7 +5487,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4117,7 +5514,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4149,10 +5548,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4165,7 +5573,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -4203,14 +5613,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -4230,7 +5649,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4245,11 +5666,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4287,7 +5712,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -4322,11 +5749,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -4339,10 +5770,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -4350,7 +5785,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -4374,7 +5815,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4387,13 +5830,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -4405,11 +5853,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -4418,7 +5870,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -4428,7 +5882,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -4439,7 +5896,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -4533,7 +5993,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4557,7 +6020,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -4586,7 +6051,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4604,13 +6069,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4618,12 +6094,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object @@ -4647,7 +6127,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4665,13 +6145,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4686,13 +6177,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -4708,7 +6203,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -4716,7 +6214,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -4750,65 +6250,187 @@ spec: namespace: "default" path: /convert --- -# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +# Source: golang-external-secrets/charts/external-secrets/templates/crds/githubaccesstoken.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: passwords.generators.external-secrets.io + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io names: categories: - - password - kind: Password - listKind: PasswordList - plural: passwords + - githubaccesstoken + kind: GithubAccessToken + listKind: GithubAccessTokenList + plural: githubaccesstokens shortNames: - - password - singular: password + - githubaccesstoken + singular: githubaccesstoken scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: GithubAccessToken generates ghs_ accessToken properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PasswordSpec controls the behavior of the password generator. properties: - allowRepeat: - default: false - description: set AllowRepeat to true to allow repeating characters. - type: boolean - digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - length: - default: 24 - description: Length of the password to be generated. Defaults to 24 - type: integer - noUpper: - default: false - description: Set NoUpper to disable uppercase characters - type: boolean - symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + appID: type: string - symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password - type: integer - required: - - allowRepeat + auth: + description: Auth configures how ESO authenticates with a Github instance. + properties: + privatKey: + properties: + secretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - secretRef + type: object + required: + - privatKey + type: object + installID: + type: string + url: + description: URL configures the Github instance URL. Defaults to https://github.com/. + type: string + required: + - appID + - auth + - installID + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: golang-external-secrets-webhook + namespace: "default" + path: /convert +--- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: passwords.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - password + kind: Password + listKind: PasswordList + plural: passwords + shortNames: + - password + singular: password + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PasswordSpec controls the behavior of the password generator. + properties: + allowRepeat: + default: false + description: set AllowRepeat to true to allow repeating characters. + type: boolean + digits: + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + length: + default: 24 + description: |- + Length of the password to be generated. + Defaults to 24 + type: integer + noUpper: + default: false + description: Set NoUpper to disable uppercase characters + type: boolean + symbolCharacters: + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. + type: string + symbols: + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password + type: integer + required: + - allowRepeat - length - noUpper type: object @@ -4833,7 +6455,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4858,10 +6480,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4872,6 +6503,13 @@ spec: description: Secret Data that should be pushed to providers items: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -4894,7 +6532,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -4915,7 +6555,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -4923,16 +6565,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4944,7 +6594,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4977,7 +6630,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -5063,6 +6719,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -5092,7 +6755,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -5100,6 +6765,13 @@ spec: additionalProperties: additionalProperties: properties: + conversionStrategy: + default: None + description: Used to define a conversion Strategy for the secret keys + enum: + - None + - ReverseUnicode + type: string match: description: Match a given Secret Key to be pushed to the provider. properties: @@ -5122,13 +6794,17 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. @@ -5155,7 +6831,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -5184,10 +6860,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5195,7 +6880,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5212,7 +6899,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -5221,23 +6910,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5245,7 +6949,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5255,51 +6961,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -5358,26 +7085,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5396,7 +7131,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -5405,7 +7143,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5413,39 +7154,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5476,32 +7229,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -5511,10 +7276,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5522,7 +7292,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5571,13 +7343,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5593,7 +7369,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5601,7 +7380,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5628,13 +7409,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5662,13 +7447,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5693,29 +7482,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5726,7 +7527,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5734,7 +7538,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5744,16 +7550,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -5803,7 +7615,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5812,26 +7627,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5850,13 +7673,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -5867,10 +7697,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5878,7 +7713,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5890,6 +7727,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -5897,26 +7774,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -5925,55 +7816,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -5981,7 +7900,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -5991,55 +7912,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6047,7 +7999,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6057,27 +8011,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -6087,18 +8054,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6124,23 +8099,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -6156,7 +8148,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6197,7 +8193,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -6207,13 +8205,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6244,13 +8246,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6258,16 +8264,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6334,10 +8346,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6347,7 +8368,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -6355,16 +8378,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6376,7 +8407,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6388,7 +8422,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -6405,7 +8441,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -6414,23 +8452,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6438,7 +8491,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6448,51 +8503,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -6505,7 +8581,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6551,26 +8629,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6594,7 +8680,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -6603,7 +8692,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6611,52 +8703,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -6674,10 +8785,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -6713,38 +8834,67 @@ spec: description: AzureKV configures this store to sync secrets using Azure Key Vault provider properties: authSecretRef: - description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. properties: clientId: - description: The Azure clientId of the service principle used for authentication. + description: The Azure clientId of the service principle or managed identity used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + tenantId: + description: The Azure tenantId of the managed identity used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -6752,7 +8902,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -6763,10 +8917,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6774,13 +8933,15 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object tenantId: - description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. type: string vaultUrl: description: Vault Url from which the secrets to be fetched from. @@ -6788,6 +8949,49 @@ spec: required: - vaultUrl type: object + chef: + description: Chef configures this store to sync secrets with chef server + properties: + auth: + description: Auth defines the information necessary to authenticate against chef Server + properties: + secretRef: + description: ChefAuthSecretRef holds secret references for chef server login credentials. + properties: + privateKeySecretRef: + description: SecretKey is the Signing Key in PEM format, used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - privateKeySecretRef + type: object + required: + - secretRef + type: object + serverUrl: + description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" + type: string + username: + description: UserName should be the user ID on the chef server + type: string + required: + - auth + - serverUrl + - username + type: object conjur: description: Conjur configures this store to sync secrets using conjur provider properties: @@ -6798,29 +9002,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -6832,24 +9048,40 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -6857,7 +9089,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -6873,7 +9107,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -6882,7 +9119,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -6901,7 +9140,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -6910,13 +9151,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6930,13 +9175,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -6947,10 +9196,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -6966,16 +9219,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7036,6 +9296,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -7048,13 +9336,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7070,7 +9362,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7078,7 +9373,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7105,13 +9402,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7166,13 +9467,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7187,16 +9492,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -7217,29 +9528,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7247,7 +9570,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7255,7 +9581,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7264,16 +9592,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7299,7 +9633,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7319,6 +9655,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -7332,13 +9732,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7364,7 +9768,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -7373,26 +9779,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7411,13 +9825,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -7428,10 +9849,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7439,7 +9865,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7451,6 +9879,145 @@ spec: - region - vault type: object + passbolt: + properties: + auth: + description: Auth defines the information necessary to authenticate against Passbolt Server + properties: + passwordSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + privateKeySecretRef: + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - passwordSecretRef + - privateKeySecretRef + type: object + host: + description: Host defines the Passbolt Server to connect to + type: string + required: + - auth + - host + type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object + pulumi: + description: Pulumi configures this store to sync secrets using the Pulumi provider + properties: + accessToken: + description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + default: https://api.pulumi.com + description: APIURL is the URL of the Pulumi API. + type: string + environment: + description: |- + Environment are YAML documents composed of static key-value pairs, programmatic expressions, + dynamically retrieved values from supported providers including all major clouds, + and other Pulumi ESC environments. + To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information. + type: string + organization: + description: |- + Organization are a space to collaborate on shared projects and stacks. + To create a new organization, visit https://app.pulumi.com/ and click "New Organization". + type: string + required: + - accessToken + - environment + - organization + type: object scaleway: description: Scaleway properties: @@ -7461,13 +10028,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7490,13 +10061,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -7518,16 +10093,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7556,39 +10137,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -7596,37 +10199,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -7638,7 +10257,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7646,7 +10268,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7668,39 +10292,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -7714,25 +10353,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7740,7 +10395,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7750,55 +10407,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -7806,7 +10494,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -7816,43 +10506,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -7860,23 +10575,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -7884,7 +10610,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7897,7 +10627,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -7910,23 +10642,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -7942,7 +10740,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -7983,7 +10785,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -7993,13 +10797,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8030,13 +10838,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8044,16 +10856,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8073,13 +10891,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8087,16 +10909,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8166,7 +10994,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -8186,17 +11014,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -8214,39 +11053,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -8254,37 +11115,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -8296,7 +11173,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8304,7 +11184,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8326,39 +11208,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -8372,25 +11269,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8398,7 +11311,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8408,55 +11323,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -8464,7 +11410,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -8474,43 +11422,68 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -8518,23 +11491,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -8542,7 +11526,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -8555,7 +11543,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -8568,23 +11558,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -8595,7 +11651,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth @@ -8620,16 +11681,163 @@ spec: namespace: "default" path: /convert --- +# Source: golang-external-secrets/charts/external-secrets/templates/crds/webhook.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: webhooks.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - webhook + kind: Webhook + listKind: WebhookList + plural: webhooks + shortNames: + - webhookl + singular: webhook + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Webhook connects to a third party API server to handle the secrets generation + configuration parameters in spec. + You can specify the server, the token, and additional body parameters. + See documentation for the full API specification for requests and responses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field. + properties: + body: + description: Body + type: string + caBundle: + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. + format: byte + type: string + caProvider: + description: The provider for the CA bundle to use to validate webhook server certificate. + properties: + key: + description: The key the value inside of the provider type to use, only used with "Secret" type + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + headers: + additionalProperties: + type: string + description: Headers + type: object + method: + description: Webhook Method + type: string + result: + description: Result formatting + properties: + jsonPath: + description: Json path of return value + type: string + type: object + secrets: + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name + items: + properties: + name: + description: Name of this secret in templates + type: string + secretRef: + description: Secret ref to fill in credentials + properties: + key: + description: The key where the token is found. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + type: object + required: + - name + - secretRef + type: object + type: array + timeout: + description: Timeout + type: string + url: + description: Webhook url to call + type: string + required: + - result + - url + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: golang-external-secrets-webhook + namespace: "default" + path: /convert +--- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8693,10 +11901,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8739,8 +11947,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "list" @@ -8802,10 +12012,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8829,8 +12039,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "get" - "watch" @@ -8842,10 +12054,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8870,8 +12082,10 @@ rules: - "ecrauthorizationtokens" - "fakes" - "gcraccesstokens" + - "githubaccesstokens" - "passwords" - "vaultdynamicsecrets" + - "webhooks" verbs: - "create" - "delete" @@ -8886,10 +12100,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8907,10 +12121,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8918,7 +12132,7 @@ roleRef: name: golang-external-secrets-cert-controller subjects: - name: external-secrets-cert-controller - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml @@ -8927,10 +12141,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8938,7 +12152,7 @@ roleRef: name: golang-external-secrets-controller subjects: - name: golang-external-secrets - namespace: "default" + namespace: default kind: ServiceAccount --- # Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml @@ -8961,12 +12175,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -9000,12 +12214,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: golang-external-secrets-leaderelection - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -9014,19 +12228,19 @@ roleRef: subjects: - kind: ServiceAccount name: golang-external-secrets - namespace: "default" + namespace: default --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -9045,12 +12259,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-cert-controller - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9062,10 +12276,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -9080,7 +12294,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - certcontroller @@ -9108,12 +12322,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9125,10 +12339,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -9143,7 +12357,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -9158,12 +12372,12 @@ apiVersion: apps/v1 kind: Deployment metadata: name: golang-external-secrets-webhook - namespace: "default" + namespace: default labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -9175,10 +12389,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.16 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.11" + app.kubernetes.io/version: "v0.9.16" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -9193,7 +12407,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.11-ubi" + image: ghcr.io/external-secrets/external-secrets:v0.9.16-ubi imagePullPolicy: IfNotPresent args: - webhook @@ -9225,7 +12439,7 @@ spec: secret: secretName: golang-external-secrets-webhook --- -# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml +# Source: golang-external-secrets/templates/vault/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: @@ -9273,7 +12487,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-secretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9289,7 +12503,7 @@ webhooks: scope: "Cluster" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] @@ -9313,7 +12527,7 @@ webhooks: scope: "Namespaced" clientConfig: service: - namespace: "default" + namespace: default name: golang-external-secrets-webhook path: /validate-external-secrets-io-v1beta1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] diff --git a/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml b/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml index 0c68e832..74212ee2 100644 --- a/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml b/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml index 0c68e832..74212ee2 100644 --- a/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml b/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml index 0c68e832..74212ee2 100644 --- a/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-naked.expected.yaml b/common/tests/hashicorp-vault-naked.expected.yaml index e09ac08f..1fe2cd90 100644 --- a/common/tests/hashicorp-vault-naked.expected.yaml +++ b/common/tests/hashicorp-vault-naked.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-normal.expected.yaml b/common/tests/hashicorp-vault-normal.expected.yaml index 0c68e832..74212ee2 100644 --- a/common/tests/hashicorp-vault-normal.expected.yaml +++ b/common/tests/hashicorp-vault-normal.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,12 +18,13 @@ metadata: name: hashicorp-vault-config namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm data: extraconfig-from-values.hcl: |- + disable_mlock = true ui = true listener "tcp" { @@ -42,7 +43,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +64,7 @@ metadata: name: hashicorp-vault-internal namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +96,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +127,7 @@ metadata: name: hashicorp-vault-ui namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -167,10 +168,11 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server + annotations: spec: affinity: @@ -204,7 +206,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +348,7 @@ metadata: name: hashicorp-vault namespace: pattern-namespace labels: - helm.sh/chart: vault-0.27.0 + helm.sh/chart: vault-0.28.0 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +375,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.15.2-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.16.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/operator-install-industrial-edge-factory.expected.yaml b/common/tests/operator-install-industrial-edge-factory.expected.yaml index 0ef51dc0..018eb4c5 100644 --- a/common/tests/operator-install-industrial-edge-factory.expected.yaml +++ b/common/tests/operator-install-industrial-edge-factory.expected.yaml @@ -7,7 +7,7 @@ metadata: namespace: openshift-operators data: gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.11 + gitops.channel: gitops-1.12 # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan @@ -26,7 +26,7 @@ spec: targetRepo: https://github.com/pattern-clone/mypattern targetRevision: main gitOpsSpec: - operatorChannel: gitops-1.11 + operatorChannel: gitops-1.12 operatorSource: redhat-operators multiSourceConfig: enabled: false diff --git a/common/tests/operator-install-industrial-edge-hub.expected.yaml b/common/tests/operator-install-industrial-edge-hub.expected.yaml index 0ef51dc0..018eb4c5 100644 --- a/common/tests/operator-install-industrial-edge-hub.expected.yaml +++ b/common/tests/operator-install-industrial-edge-hub.expected.yaml @@ -7,7 +7,7 @@ metadata: namespace: openshift-operators data: gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.11 + gitops.channel: gitops-1.12 # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan @@ -26,7 +26,7 @@ spec: targetRepo: https://github.com/pattern-clone/mypattern targetRevision: main gitOpsSpec: - operatorChannel: gitops-1.11 + operatorChannel: gitops-1.12 operatorSource: redhat-operators multiSourceConfig: enabled: false diff --git a/common/tests/operator-install-medical-diagnosis-hub.expected.yaml b/common/tests/operator-install-medical-diagnosis-hub.expected.yaml index 0ef51dc0..018eb4c5 100644 --- a/common/tests/operator-install-medical-diagnosis-hub.expected.yaml +++ b/common/tests/operator-install-medical-diagnosis-hub.expected.yaml @@ -7,7 +7,7 @@ metadata: namespace: openshift-operators data: gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.11 + gitops.channel: gitops-1.12 # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan @@ -26,7 +26,7 @@ spec: targetRepo: https://github.com/pattern-clone/mypattern targetRevision: main gitOpsSpec: - operatorChannel: gitops-1.11 + operatorChannel: gitops-1.12 operatorSource: redhat-operators multiSourceConfig: enabled: false diff --git a/common/tests/operator-install-naked.expected.yaml b/common/tests/operator-install-naked.expected.yaml index 024ea7ea..fc0d7699 100644 --- a/common/tests/operator-install-naked.expected.yaml +++ b/common/tests/operator-install-naked.expected.yaml @@ -7,7 +7,7 @@ metadata: namespace: openshift-operators data: gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.11 + gitops.channel: gitops-1.12 # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan @@ -26,7 +26,7 @@ spec: targetRepo: https://github.com/pattern-clone/mypattern targetRevision: main gitOpsSpec: - operatorChannel: gitops-1.11 + operatorChannel: gitops-1.12 operatorSource: redhat-operators multiSourceConfig: enabled: false diff --git a/common/tests/operator-install-normal.expected.yaml b/common/tests/operator-install-normal.expected.yaml index 0ef51dc0..018eb4c5 100644 --- a/common/tests/operator-install-normal.expected.yaml +++ b/common/tests/operator-install-normal.expected.yaml @@ -7,7 +7,7 @@ metadata: namespace: openshift-operators data: gitops.catalogSource: redhat-operators - gitops.channel: gitops-1.11 + gitops.channel: gitops-1.12 # gitops.sourceNamespace: GitOpsDefaultCatalogSourceNamespace # gitops.installApprovalPlan: GitOpsDefaultApprovalPlan @@ -26,7 +26,7 @@ spec: targetRepo: https://github.com/pattern-clone/mypattern targetRevision: main gitOpsSpec: - operatorChannel: gitops-1.11 + operatorChannel: gitops-1.12 operatorSource: redhat-operators multiSourceConfig: enabled: false diff --git a/common/values-global.yaml b/common/values-global.yaml index 24feccd5..684f89f2 100644 --- a/common/values-global.yaml +++ b/common/values-global.yaml @@ -12,6 +12,9 @@ global: email: someone@somewhere.com dev_revision: main + secretStore: + backend: vault + main: clusterGroupName: example