diff --git a/client-java-contrib/ex-sec.yaml b/client-java-contrib/ex-sec.yaml new file mode 100644 index 0000000000..9c03db5411 --- /dev/null +++ b/client-java-contrib/ex-sec.yaml @@ -0,0 +1,881 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{"controller-gen.kubebuilder.io/version":"v0.15.0"},"labels":{"external-secrets.io/component":"controller"},"name":"externalsecrets.external-secrets.io"},"spec":{"conversion":{"strategy":"Webhook","webhook":{"clientConfig":{"caBundle":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURSakNDQWk2Z0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREEyTVJrd0Z3WURWUVFLRXhCbGVIUmwKY201aGJDMXpaV055WlhSek1Sa3dGd1lEVlFRREV4QmxlSFJsY201aGJDMXpaV055WlhSek1CNFhEVEkwTURFeApNREUzTURrMU1sb1hEVE0wTURFd056RTRNRGsxTWxvd05qRVpNQmNHQTFVRUNoTVFaWGgwWlhKdVlXd3RjMlZqCmNtVjBjekVaTUJjR0ExVUVBeE1RWlhoMFpYSnVZV3d0YzJWamNtVjBjekNDQVNJd0RRWUpLb1pJaHZjTkFRRUIKQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHRJRUFqczBBWmNyL1htemR1MXcwTlRFRFJhRkJnR0s3TjVmcklzOE1nQgpJcStYNzVJTHZkTDRqd3R2anZCem9BZkNJZnF5UXE4SHQxcC9MOGcvQjJnNHNHcTdBZ3E3UWNPUy93dlJWeHlmCm5BL3VkUzhsWXAvbWNHNnZocUt3ZWxxVUJXMk5rUEk2Rm5hYlNwa3pYUmhtVHpYZGY1WTZaNXFidy9IZW9ibWkKVEp4MitiQTlXT3loSTlweVhPbnRnSFVBR2xqNkQ2UWE5OFQ4eGswSVFuTmNZRk9NeTg2ZmtDVk1uQU1pTS9FYwpyaENrLy9HbmdsdzY4MytybWtXdHNtc1hDL0R1M2MrLzNqbitFaTBnQUdhNjd6SkxKeXJyclhwUEIvUW40REdwCm1Mdzk3K2xoNFZsK21Rbmk3cXhoRHpDbExmT3lPcVZ3NHZEMjdUTEw3Yk1DQXdFQUFhTmZNRjB3RGdZRFZSMFAKQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkVpcHF2RlI3bjJSUllRZAo4QWZSeVN5ZXNISTZNQnNHQTFVZEVRUVVNQktDRUdWNGRHVnlibUZzTFhObFkzSmxkSE13RFFZSktvWklodmNOCkFRRUxCUUFEZ2dFQkFGQjhENldJOGtXV2dYeWkyc0xYSjRlVVJ4eFo4clg0VWFaL1c5Q2tBaEJLRHBVa1YrVzIKTUpWa3ZMOGQ5WEc0VDhONm9DNis2NFFhcW5NL0l6RWxDMFY3VE9DY2JoNmJyWEUxeGpwanZZeVhER1k3ZGU0WApSOHNVRVNUMmsyVSs2V2xwby9sQUhBTlRna1dBREVKQko5bUoyRHp2ZmxzZTlZaDNXT0N0OGF2dU0rV2w1ZWV3CmQrZFR6NlN0ckZuZFFSdjB1eEpzY3hNNDdDRTFFSzZPVVNiWW5rNmx1a1ZhMlVSN3BFTFdPZXRDVG1PK3pUb2oKL2QrOUJNMktZWmttckN2enVuT2o3elU3a2NDZUhVWGNpcmhyK1grUGFHdkEzdUdoMEhsNVNqbHgvcXhSK2tYQQpXY3ZEbGZQdUZsaG4xZ3pKR2F6TnY2L3lINXpTTVRNd0c4MD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=","service":{"name":"external-secrets-webhook","namespace":"external-secrets","path":"/convert"}},"conversionReviewVersions":["v1"]}},"group":"external-secrets.io","names":{"categories":["externalsecrets"],"kind":"ExternalSecret","listKind":"ExternalSecretList","plural":"externalsecrets","shortNames":["es"],"singular":"externalsecret"},"scope":"Namespaced","versions":[{"additionalPrinterColumns":[{"jsonPath":".spec.secretStoreRef.name","name":"Store","type":"string"},{"jsonPath":".spec.refreshInterval","name":"Refresh Interval","type":"string"},{"jsonPath":".status.conditions[?(@.type==\"Ready\")].reason","name":"Status","type":"string"}],"deprecated":true,"name":"v1alpha1","schema":{"openAPIV3Schema":{"description":"ExternalSecret is the Schema for the external-secrets API.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"ExternalSecretSpec defines the desired state of ExternalSecret.","properties":{"data":{"description":"Data defines the connection between the Kubernetes Secret keys and the Provider data","items":{"description":"ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.\u003ckey\u003e) and the Provider data.","properties":{"remoteRef":{"description":"ExternalSecretDataRemoteRef defines Provider data location.","properties":{"conversionStrategy":{"default":"Default","description":"Used to define a conversion Strategy","enum":["Default","Unicode"],"type":"string"},"key":{"description":"Key is the key used in the Provider, mandatory","type":"string"},"property":{"description":"Used to select a specific property of the Provider value (if a map), if supported","type":"string"},"version":{"description":"Used to select a specific version of the Provider value, if supported","type":"string"}},"required":["key"],"type":"object"},"secretKey":{"type":"string"}},"required":["remoteRef","secretKey"],"type":"object"},"type":"array"},"dataFrom":{"description":"DataFrom is used to fetch all properties from a specific Provider data\nIf multiple entries are specified, the Secret keys are merged in the specified order","items":{"description":"ExternalSecretDataRemoteRef defines Provider data location.","properties":{"conversionStrategy":{"default":"Default","description":"Used to define a conversion Strategy","enum":["Default","Unicode"],"type":"string"},"key":{"description":"Key is the key used in the Provider, mandatory","type":"string"},"property":{"description":"Used to select a specific property of the Provider value (if a map), if supported","type":"string"},"version":{"description":"Used to select a specific version of the Provider value, if supported","type":"string"}},"required":["key"],"type":"object"},"type":"array"},"refreshInterval":{"default":"1h","description":"RefreshInterval is the amount of time before the values are read again from the SecretStore provider\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\"\nMay be set to zero to fetch and create it once. Defaults to 1h.","type":"string"},"secretStoreRef":{"description":"SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.","properties":{"kind":{"description":"Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`","type":"string"},"name":{"description":"Name of the SecretStore resource","type":"string"}},"required":["name"],"type":"object"},"target":{"description":"ExternalSecretTarget defines the Kubernetes Secret to be created\nThere can be only one target per ExternalSecret.","properties":{"creationPolicy":{"default":"Owner","description":"CreationPolicy defines rules on how to create the resulting Secret\nDefaults to 'Owner'","enum":["Owner","Merge","None"],"type":"string"},"immutable":{"description":"Immutable defines if the final secret will be immutable","type":"boolean"},"name":{"description":"Name defines the name of the Secret resource to be managed\nThis field is immutable\nDefaults to the .metadata.name of the ExternalSecret resource","type":"string"},"template":{"description":"Template defines a blueprint for the created Secret resource.","properties":{"data":{"additionalProperties":{"type":"string"},"type":"object"},"engineVersion":{"default":"v1","description":"EngineVersion specifies the template engine version\nthat should be used to compile/execute the\ntemplate specified in .data and .templateFrom[].","enum":["v1","v2"],"type":"string"},"metadata":{"description":"ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.","properties":{"annotations":{"additionalProperties":{"type":"string"},"type":"object"},"labels":{"additionalProperties":{"type":"string"},"type":"object"}},"type":"object"},"templateFrom":{"items":{"maxProperties":1,"minProperties":1,"properties":{"configMap":{"properties":{"items":{"items":{"properties":{"key":{"type":"string"}},"required":["key"],"type":"object"},"type":"array"},"name":{"type":"string"}},"required":["items","name"],"type":"object"},"secret":{"properties":{"items":{"items":{"properties":{"key":{"type":"string"}},"required":["key"],"type":"object"},"type":"array"},"name":{"type":"string"}},"required":["items","name"],"type":"object"}},"type":"object"},"type":"array"},"type":{"type":"string"}},"type":"object"}},"type":"object"}},"required":["secretStoreRef","target"],"type":"object"},"status":{"properties":{"binding":{"description":"Binding represents a servicebinding.io Provisioned Service reference to the secret","properties":{"name":{"default":"","description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.","type":"string"}},"type":"object","x-kubernetes-map-type":"atomic"},"conditions":{"items":{"properties":{"lastTransitionTime":{"format":"date-time","type":"string"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"type":"string"},"type":{"type":"string"}},"required":["status","type"],"type":"object"},"type":"array"},"refreshTime":{"description":"refreshTime is the time and date the external secret was fetched and\nthe target secret updated","format":"date-time","nullable":true,"type":"string"},"syncedResourceVersion":{"description":"SyncedResourceVersion keeps track of the last synced version","type":"string"}},"type":"object"}},"type":"object"}},"served":true,"storage":false,"subresources":{"status":{}}},{"additionalPrinterColumns":[{"jsonPath":".spec.secretStoreRef.name","name":"Store","type":"string"},{"jsonPath":".spec.refreshInterval","name":"Refresh Interval","type":"string"},{"jsonPath":".status.conditions[?(@.type==\"Ready\")].reason","name":"Status","type":"string"},{"jsonPath":".status.conditions[?(@.type==\"Ready\")].status","name":"Ready","type":"string"}],"name":"v1beta1","schema":{"openAPIV3Schema":{"description":"ExternalSecret is the Schema for the external-secrets API.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"ExternalSecretSpec defines the desired state of ExternalSecret.","properties":{"data":{"description":"Data defines the connection between the Kubernetes Secret keys and the Provider data","items":{"description":"ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.\u003ckey\u003e) and the Provider data.","properties":{"remoteRef":{"description":"RemoteRef points to the remote secret and defines\nwhich secret (version/property/..) to fetch.","properties":{"conversionStrategy":{"default":"Default","description":"Used to define a conversion Strategy","enum":["Default","Unicode"],"type":"string"},"decodingStrategy":{"default":"None","description":"Used to define a decoding Strategy","enum":["Auto","Base64","Base64URL","None"],"type":"string"},"key":{"description":"Key is the key used in the Provider, mandatory","type":"string"},"metadataPolicy":{"default":"None","description":"Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None","enum":["None","Fetch"],"type":"string"},"property":{"description":"Used to select a specific property of the Provider value (if a map), if supported","type":"string"},"version":{"description":"Used to select a specific version of the Provider value, if supported","type":"string"}},"required":["key"],"type":"object"},"secretKey":{"description":"SecretKey defines the key in which the controller stores\nthe value. This is the key in the Kind=Secret","type":"string"},"sourceRef":{"description":"SourceRef allows you to override the source\nfrom which the value will pulled from.","maxProperties":1,"properties":{"generatorRef":{"description":"GeneratorRef points to a generator custom resource.\n\n\nDeprecated: The generatorRef is not implemented in .data[].\nthis will be removed with v1.","properties":{"apiVersion":{"default":"generators.external-secrets.io/v1alpha1","description":"Specify the apiVersion of the generator resource","type":"string"},"kind":{"description":"Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.","type":"string"},"name":{"description":"Specify the name of the generator resource","type":"string"}},"required":["kind","name"],"type":"object"},"storeRef":{"description":"SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.","properties":{"kind":{"description":"Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`","type":"string"},"name":{"description":"Name of the SecretStore resource","type":"string"}},"required":["name"],"type":"object"}},"type":"object"}},"required":["remoteRef","secretKey"],"type":"object"},"type":"array"},"dataFrom":{"description":"DataFrom is used to fetch all properties from a specific Provider data\nIf multiple entries are specified, the Secret keys are merged in the specified order","items":{"properties":{"extract":{"description":"Used to extract multiple key/value pairs from one secret\nNote: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.","properties":{"conversionStrategy":{"default":"Default","description":"Used to define a conversion Strategy","enum":["Default","Unicode"],"type":"string"},"decodingStrategy":{"default":"None","description":"Used to define a decoding Strategy","enum":["Auto","Base64","Base64URL","None"],"type":"string"},"key":{"description":"Key is the key used in the Provider, mandatory","type":"string"},"metadataPolicy":{"default":"None","description":"Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None","enum":["None","Fetch"],"type":"string"},"property":{"description":"Used to select a specific property of the Provider value (if a map), if supported","type":"string"},"version":{"description":"Used to select a specific version of the Provider value, if supported","type":"string"}},"required":["key"],"type":"object"},"find":{"description":"Used to find secrets based on tags or regular expressions\nNote: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.","properties":{"conversionStrategy":{"default":"Default","description":"Used to define a conversion Strategy","enum":["Default","Unicode"],"type":"string"},"decodingStrategy":{"default":"None","description":"Used to define a decoding Strategy","enum":["Auto","Base64","Base64URL","None"],"type":"string"},"name":{"description":"Finds secrets based on the name.","properties":{"regexp":{"description":"Finds secrets base","type":"string"}},"type":"object"},"path":{"description":"A root path to start the find operations.","type":"string"},"tags":{"additionalProperties":{"type":"string"},"description":"Find secrets based on tags.","type":"object"}},"type":"object"},"rewrite":{"description":"Used to rewrite secret Keys after getting them from the secret Provider\nMultiple Rewrite operations can be provided. They are applied in a layered order (first to last)","items":{"properties":{"regexp":{"description":"Used to rewrite with regular expressions.\nThe resulting key will be the output of a regexp.ReplaceAll operation.","properties":{"source":{"description":"Used to define the regular expression of a re.Compiler.","type":"string"},"target":{"description":"Used to define the target pattern of a ReplaceAll operation.","type":"string"}},"required":["source","target"],"type":"object"},"transform":{"description":"Used to apply string transformation on the secrets.\nThe resulting key will be the output of the template applied by the operation.","properties":{"template":{"description":"Used to define the template to apply on the secret name.\n`.value ` will specify the secret name in the template.","type":"string"}},"required":["template"],"type":"object"}},"type":"object"},"type":"array"},"sourceRef":{"description":"SourceRef points to a store or generator\nwhich contains secret values ready to use.\nUse this in combination with Extract or Find pull values out of\na specific SecretStore.\nWhen sourceRef points to a generator Extract or Find is not supported.\nThe generator returns a static map of values","maxProperties":1,"properties":{"generatorRef":{"description":"GeneratorRef points to a generator custom resource.","properties":{"apiVersion":{"default":"generators.external-secrets.io/v1alpha1","description":"Specify the apiVersion of the generator resource","type":"string"},"kind":{"description":"Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.","type":"string"},"name":{"description":"Specify the name of the generator resource","type":"string"}},"required":["kind","name"],"type":"object"},"storeRef":{"description":"SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.","properties":{"kind":{"description":"Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`","type":"string"},"name":{"description":"Name of the SecretStore resource","type":"string"}},"required":["name"],"type":"object"}},"type":"object"}},"type":"object"},"type":"array"},"refreshInterval":{"default":"1h","description":"RefreshInterval is the amount of time before the values are read again from the SecretStore provider\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\"\nMay be set to zero to fetch and create it once. Defaults to 1h.","type":"string"},"secretStoreRef":{"description":"SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.","properties":{"kind":{"description":"Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`","type":"string"},"name":{"description":"Name of the SecretStore resource","type":"string"}},"required":["name"],"type":"object"},"target":{"default":{"creationPolicy":"Owner","deletionPolicy":"Retain"},"description":"ExternalSecretTarget defines the Kubernetes Secret to be created\nThere can be only one target per ExternalSecret.","properties":{"creationPolicy":{"default":"Owner","description":"CreationPolicy defines rules on how to create the resulting Secret\nDefaults to 'Owner'","enum":["Owner","Orphan","Merge","None"],"type":"string"},"deletionPolicy":{"default":"Retain","description":"DeletionPolicy defines rules on how to delete the resulting Secret\nDefaults to 'Retain'","enum":["Delete","Merge","Retain"],"type":"string"},"immutable":{"description":"Immutable defines if the final secret will be immutable","type":"boolean"},"name":{"description":"Name defines the name of the Secret resource to be managed\nThis field is immutable\nDefaults to the .metadata.name of the ExternalSecret resource","type":"string"},"template":{"description":"Template defines a blueprint for the created Secret resource.","properties":{"data":{"additionalProperties":{"type":"string"},"type":"object"},"engineVersion":{"default":"v2","description":"EngineVersion specifies the template engine version\nthat should be used to compile/execute the\ntemplate specified in .data and .templateFrom[].","enum":["v1","v2"],"type":"string"},"mergePolicy":{"default":"Replace","enum":["Replace","Merge"],"type":"string"},"metadata":{"description":"ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.","properties":{"annotations":{"additionalProperties":{"type":"string"},"type":"object"},"labels":{"additionalProperties":{"type":"string"},"type":"object"}},"type":"object"},"templateFrom":{"items":{"properties":{"configMap":{"properties":{"items":{"items":{"properties":{"key":{"type":"string"},"templateAs":{"default":"Values","enum":["Values","KeysAndValues"],"type":"string"}},"required":["key"],"type":"object"},"type":"array"},"name":{"type":"string"}},"required":["items","name"],"type":"object"},"literal":{"type":"string"},"secret":{"properties":{"items":{"items":{"properties":{"key":{"type":"string"},"templateAs":{"default":"Values","enum":["Values","KeysAndValues"],"type":"string"}},"required":["key"],"type":"object"},"type":"array"},"name":{"type":"string"}},"required":["items","name"],"type":"object"},"target":{"default":"Data","enum":["Data","Annotations","Labels"],"type":"string"}},"type":"object"},"type":"array"},"type":{"type":"string"}},"type":"object"}},"type":"object"}},"type":"object"},"status":{"properties":{"binding":{"description":"Binding represents a servicebinding.io Provisioned Service reference to the secret","properties":{"name":{"default":"","description":"Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.","type":"string"}},"type":"object","x-kubernetes-map-type":"atomic"},"conditions":{"items":{"properties":{"lastTransitionTime":{"format":"date-time","type":"string"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"type":"string"},"type":{"type":"string"}},"required":["status","type"],"type":"object"},"type":"array"},"refreshTime":{"description":"refreshTime is the time and date the external secret was fetched and\nthe target secret updated","format":"date-time","nullable":true,"type":"string"},"syncedResourceVersion":{"description":"SyncedResourceVersion keeps track of the last synced version","type":"string"}},"type":"object"}},"type":"object"}},"served":true,"storage":true,"subresources":{"status":{}}}]},"status":{"acceptedNames":{"categories":["externalsecrets"],"kind":"ExternalSecret","listKind":"ExternalSecretList","plural":"externalsecrets","shortNames":["es"],"singular":"externalsecret"},"conditions":[{"lastTransitionTime":"2024-01-10T18:09:34Z","message":"no conflicts found","reason":"NoConflicts","status":"True","type":"NamesAccepted"},{"lastTransitionTime":"2024-01-10T18:09:34Z","message":"the initial names have been accepted","reason":"InitialNamesAccepted","status":"True","type":"Established"}],"storedVersions":["v1beta1"]}} + creationTimestamp: "2024-01-10T18:09:34Z" + generation: 4 + labels: + external-secrets.io/component: controller + name: externalsecrets.external-secrets.io + resourceVersion: "3423195595" + uid: cd5a5d3a-0017-4fc4-a09d-23834c74b48b +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURSakNDQWk2Z0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREEyTVJrd0Z3WURWUVFLRXhCbGVIUmwKY201aGJDMXpaV055WlhSek1Sa3dGd1lEVlFRREV4QmxlSFJsY201aGJDMXpaV055WlhSek1CNFhEVEkwTURFeApNREUzTURrMU1sb1hEVE0wTURFd056RTRNRGsxTWxvd05qRVpNQmNHQTFVRUNoTVFaWGgwWlhKdVlXd3RjMlZqCmNtVjBjekVaTUJjR0ExVUVBeE1RWlhoMFpYSnVZV3d0YzJWamNtVjBjekNDQVNJd0RRWUpLb1pJaHZjTkFRRUIKQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHRJRUFqczBBWmNyL1htemR1MXcwTlRFRFJhRkJnR0s3TjVmcklzOE1nQgpJcStYNzVJTHZkTDRqd3R2anZCem9BZkNJZnF5UXE4SHQxcC9MOGcvQjJnNHNHcTdBZ3E3UWNPUy93dlJWeHlmCm5BL3VkUzhsWXAvbWNHNnZocUt3ZWxxVUJXMk5rUEk2Rm5hYlNwa3pYUmhtVHpYZGY1WTZaNXFidy9IZW9ibWkKVEp4MitiQTlXT3loSTlweVhPbnRnSFVBR2xqNkQ2UWE5OFQ4eGswSVFuTmNZRk9NeTg2ZmtDVk1uQU1pTS9FYwpyaENrLy9HbmdsdzY4MytybWtXdHNtc1hDL0R1M2MrLzNqbitFaTBnQUdhNjd6SkxKeXJyclhwUEIvUW40REdwCm1Mdzk3K2xoNFZsK21Rbmk3cXhoRHpDbExmT3lPcVZ3NHZEMjdUTEw3Yk1DQXdFQUFhTmZNRjB3RGdZRFZSMFAKQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkVpcHF2RlI3bjJSUllRZAo4QWZSeVN5ZXNISTZNQnNHQTFVZEVRUVVNQktDRUdWNGRHVnlibUZzTFhObFkzSmxkSE13RFFZSktvWklodmNOCkFRRUxCUUFEZ2dFQkFGQjhENldJOGtXV2dYeWkyc0xYSjRlVVJ4eFo4clg0VWFaL1c5Q2tBaEJLRHBVa1YrVzIKTUpWa3ZMOGQ5WEc0VDhONm9DNis2NFFhcW5NL0l6RWxDMFY3VE9DY2JoNmJyWEUxeGpwanZZeVhER1k3ZGU0WApSOHNVRVNUMmsyVSs2V2xwby9sQUhBTlRna1dBREVKQko5bUoyRHp2ZmxzZTlZaDNXT0N0OGF2dU0rV2w1ZWV3CmQrZFR6NlN0ckZuZFFSdjB1eEpzY3hNNDdDRTFFSzZPVVNiWW5rNmx1a1ZhMlVSN3BFTFdPZXRDVG1PK3pUb2oKL2QrOUJNMktZWmttckN2enVuT2o3elU3a2NDZUhVWGNpcmhyK1grUGFHdkEzdUdoMEhsNVNqbHgvcXhSK2tYQQpXY3ZEbGZQdUZsaG4xZ3pKR2F6TnY2L3lINXpTTVRNd0c4MD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + service: + name: external-secrets-webhook + namespace: external-secrets + path: /convert + port: 443 + conversionReviewVersions: + - v1 + group: external-secrets.io + names: + categories: + - externalsecrets + kind: ExternalSecret + listKind: ExternalSecretList + plural: externalsecrets + shortNames: + - es + singular: externalsecret + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.secretStoreRef.name + name: Store + type: string + - jsonPath: .spec.refreshInterval + name: Refresh Interval + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].reason + name: Status + type: string + deprecated: true + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExternalSecret is the Schema for the external-secrets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ExternalSecretSpec defines the desired state of ExternalSecret. + properties: + data: + description: Data defines the connection between the Kubernetes Secret + keys and the Provider data + items: + description: ExternalSecretData defines the connection between the + Kubernetes Secret key (spec.data.) and the Provider data. + properties: + remoteRef: + description: ExternalSecretDataRemoteRef defines Provider data + location. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + enum: + - Default + - Unicode + type: string + key: + description: Key is the key used in the Provider, mandatory + type: string + property: + description: Used to select a specific property of the Provider + value (if a map), if supported + type: string + version: + description: Used to select a specific version of the Provider + value, if supported + type: string + required: + - key + type: object + secretKey: + type: string + required: + - remoteRef + - secretKey + type: object + type: array + dataFrom: + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order + items: + description: ExternalSecretDataRemoteRef defines Provider data location. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + enum: + - Default + - Unicode + type: string + key: + description: Key is the key used in the Provider, mandatory + type: string + property: + description: Used to select a specific property of the Provider + value (if a map), if supported + type: string + version: + description: Used to select a specific version of the Provider + value, if supported + type: string + required: + - key + type: object + type: array + refreshInterval: + default: 1h + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. + type: string + secretStoreRef: + description: SecretStoreRef defines which SecretStore to fetch the + ExternalSecret data. + properties: + kind: + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` + type: string + name: + description: Name of the SecretStore resource + type: string + required: + - name + type: object + target: + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. + properties: + creationPolicy: + default: Owner + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' + enum: + - Owner + - Merge + - None + type: string + immutable: + description: Immutable defines if the final secret will be immutable + type: boolean + name: + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource + type: string + template: + description: Template defines a blueprint for the created Secret + resource. + properties: + data: + additionalProperties: + type: string + type: object + engineVersion: + default: v1 + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 + type: string + metadata: + description: ExternalSecretTemplateMetadata defines metadata + fields for the Secret blueprint. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + templateFrom: + items: + maxProperties: 1 + minProperties: 1 + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + type: object + type: array + type: + type: string + type: object + type: object + required: + - secretStoreRef + - target + type: object + status: + properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service + reference to the secret + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + refreshTime: + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated + format: date-time + nullable: true + type: string + syncedResourceVersion: + description: SyncedResourceVersion keeps track of the last synced + version + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.secretStoreRef.name + name: Store + type: string + - jsonPath: .spec.refreshInterval + name: Refresh Interval + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].reason + name: Status + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: ExternalSecret is the Schema for the external-secrets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ExternalSecretSpec defines the desired state of ExternalSecret. + properties: + data: + description: Data defines the connection between the Kubernetes Secret + keys and the Provider data + items: + description: ExternalSecretData defines the connection between the + Kubernetes Secret key (spec.data.) and the Provider data. + properties: + remoteRef: + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + enum: + - Default + - Unicode + type: string + decodingStrategy: + default: None + description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None + type: string + key: + description: Key is the key used in the Provider, mandatory + type: string + metadataPolicy: + default: None + description: Policy for fetching tags/labels from provider + secrets, possible options are Fetch, None. Defaults to + None + enum: + - None + - Fetch + type: string + property: + description: Used to select a specific property of the Provider + value (if a map), if supported + type: string + version: + description: Used to select a specific version of the Provider + value, if supported + type: string + required: + - key + type: object + secretKey: + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret + type: string + sourceRef: + description: |- + SourceRef allows you to override the source + from which the value will pulled from. + maxProperties: 1 + properties: + generatorRef: + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. + properties: + apiVersion: + default: generators.external-secrets.io/v1alpha1 + description: Specify the apiVersion of the generator + resource + type: string + kind: + description: Specify the Kind of the resource, e.g. + Password, ACRAccessToken etc. + type: string + name: + description: Specify the name of the generator resource + type: string + required: + - kind + - name + type: object + storeRef: + description: SecretStoreRef defines which SecretStore to + fetch the ExternalSecret data. + properties: + kind: + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` + type: string + name: + description: Name of the SecretStore resource + type: string + required: + - name + type: object + type: object + required: + - remoteRef + - secretKey + type: object + type: array + dataFrom: + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order + items: + properties: + extract: + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + enum: + - Default + - Unicode + type: string + decodingStrategy: + default: None + description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None + type: string + key: + description: Key is the key used in the Provider, mandatory + type: string + metadataPolicy: + default: None + description: Policy for fetching tags/labels from provider + secrets, possible options are Fetch, None. Defaults to + None + enum: + - None + - Fetch + type: string + property: + description: Used to select a specific property of the Provider + value (if a map), if supported + type: string + version: + description: Used to select a specific version of the Provider + value, if supported + type: string + required: + - key + type: object + find: + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + enum: + - Default + - Unicode + type: string + decodingStrategy: + default: None + description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None + type: string + name: + description: Finds secrets based on the name. + properties: + regexp: + description: Finds secrets base + type: string + type: object + path: + description: A root path to start the find operations. + type: string + tags: + additionalProperties: + type: string + description: Find secrets based on tags. + type: object + type: object + rewrite: + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + items: + properties: + regexp: + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. + properties: + source: + description: Used to define the regular expression + of a re.Compiler. + type: string + target: + description: Used to define the target pattern of + a ReplaceAll operation. + type: string + required: + - source + - target + type: object + transform: + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. + properties: + template: + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object + type: object + type: array + sourceRef: + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values + maxProperties: 1 + properties: + generatorRef: + description: GeneratorRef points to a generator custom resource. + properties: + apiVersion: + default: generators.external-secrets.io/v1alpha1 + description: Specify the apiVersion of the generator + resource + type: string + kind: + description: Specify the Kind of the resource, e.g. + Password, ACRAccessToken etc. + type: string + name: + description: Specify the name of the generator resource + type: string + required: + - kind + - name + type: object + storeRef: + description: SecretStoreRef defines which SecretStore to + fetch the ExternalSecret data. + properties: + kind: + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` + type: string + name: + description: Name of the SecretStore resource + type: string + required: + - name + type: object + type: object + type: object + type: array + refreshInterval: + default: 1h + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. + type: string + secretStoreRef: + description: SecretStoreRef defines which SecretStore to fetch the + ExternalSecret data. + properties: + kind: + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` + type: string + name: + description: Name of the SecretStore resource + type: string + required: + - name + type: object + target: + default: + creationPolicy: Owner + deletionPolicy: Retain + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. + properties: + creationPolicy: + default: Owner + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' + enum: + - Owner + - Orphan + - Merge + - None + type: string + deletionPolicy: + default: Retain + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' + enum: + - Delete + - Merge + - Retain + type: string + immutable: + description: Immutable defines if the final secret will be immutable + type: boolean + name: + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource + type: string + template: + description: Template defines a blueprint for the created Secret + resource. + properties: + data: + additionalProperties: + type: string + type: object + engineVersion: + default: v2 + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 + type: string + mergePolicy: + default: Replace + enum: + - Replace + - Merge + type: string + metadata: + description: ExternalSecretTemplateMetadata defines metadata + fields for the Secret blueprint. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + templateFrom: + items: + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + templateAs: + default: Values + enum: + - Values + - KeysAndValues + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + literal: + type: string + secret: + properties: + items: + items: + properties: + key: + type: string + templateAs: + default: Values + enum: + - Values + - KeysAndValues + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + target: + default: Data + enum: + - Data + - Annotations + - Labels + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: object + status: + properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service + reference to the secret + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + refreshTime: + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated + format: date-time + nullable: true + type: string + syncedResourceVersion: + description: SyncedResourceVersion keeps track of the last synced + version + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + categories: + - externalsecrets + kind: ExternalSecret + listKind: ExternalSecretList + plural: externalsecrets + shortNames: + - es + singular: externalsecret + conditions: + - lastTransitionTime: "2024-01-10T18:09:34Z" + message: no conflicts found + reason: NoConflicts + status: "True" + type: NamesAccepted + - lastTransitionTime: "2024-01-10T18:09:34Z" + message: the initial names have been accepted + reason: InitialNamesAccepted + status: "True" + type: Established + storedVersions: + - v1beta1 diff --git a/crds/external-secrets/crds.json b/crds/external-secrets/crds.json new file mode 100644 index 0000000000..d27f637363 --- /dev/null +++ b/crds/external-secrets/crds.json @@ -0,0 +1,1035 @@ +{ + "apiVersion": "apiextensions.k8s.io/v1", + "kind": "CustomResourceDefinition", + "metadata": { + "labels": { + "external-secrets.io/component": "controller" + }, + "name": "externalsecrets.external-secrets.io" + }, + "spec": { + "conversion": { + "strategy": "Webhook", + "webhook": { + "clientConfig": { + "service": { + "name": "external-secrets-webhook", + "namespace": "external-secrets", + "path": "/convert", + "port": 443 + } + }, + "conversionReviewVersions": [ + "v1" + ] + } + }, + "group": "external-secrets.io", + "names": { + "categories": [ + "externalsecrets" + ], + "kind": "ExternalSecret", + "listKind": "ExternalSecretList", + "plural": "externalsecrets", + "shortNames": [ + "es" + ], + "singular": "externalsecret" + }, + "scope": "Namespaced", + "versions": [ + { + "additionalPrinterColumns": [ + { + "jsonPath": ".spec.secretStoreRef.name", + "name": "Store", + "type": "string" + }, + { + "jsonPath": ".spec.refreshInterval", + "name": "Refresh Interval", + "type": "string" + }, + { + "jsonPath": ".status.conditions[?(@.type==\"Ready\")].reason", + "name": "Status", + "type": "string" + } + ], + "deprecated": true, + "name": "v1alpha1", + "schema": { + "openAPIV3Schema": { + "description": "ExternalSecret is the Schema for the external-secrets API.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "ExternalSecretSpec defines the desired state of ExternalSecret.", + "properties": { + "data": { + "description": "Data defines the connection between the Kubernetes Secret keys and the Provider data", + "items": { + "description": "ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data.", + "properties": { + "remoteRef": { + "description": "ExternalSecretDataRemoteRef defines Provider data location.", + "properties": { + "conversionStrategy": { + "default": "Default", + "description": "Used to define a conversion Strategy", + "enum": [ + "Default", + "Unicode" + ], + "type": "string" + }, + "key": { + "description": "Key is the key used in the Provider, mandatory", + "type": "string" + }, + "property": { + "description": "Used to select a specific property of the Provider value (if a map), if supported", + "type": "string" + }, + "version": { + "description": "Used to select a specific version of the Provider value, if supported", + "type": "string" + } + }, + "required": [ + "key" + ], + "type": "object" + }, + "secretKey": { + "type": "string" + } + }, + "required": [ + "remoteRef", + "secretKey" + ], + "type": "object" + }, + "type": "array" + }, + "dataFrom": { + "description": "DataFrom is used to fetch all properties from a specific Provider data\nIf multiple entries are specified, the Secret keys are merged in the specified order", + "items": { + "description": "ExternalSecretDataRemoteRef defines Provider data location.", + "properties": { + "conversionStrategy": { + "default": "Default", + "description": "Used to define a conversion Strategy", + "enum": [ + "Default", + "Unicode" + ], + "type": "string" + }, + "key": { + "description": "Key is the key used in the Provider, mandatory", + "type": "string" + }, + "property": { + "description": "Used to select a specific property of the Provider value (if a map), if supported", + "type": "string" + }, + "version": { + "description": "Used to select a specific version of the Provider value, if supported", + "type": "string" + } + }, + "required": [ + "key" + ], + "type": "object" + }, + "type": "array" + }, + "refreshInterval": { + "default": "1h", + "description": "RefreshInterval is the amount of time before the values are read again from the SecretStore provider\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\"\nMay be set to zero to fetch and create it once. Defaults to 1h.", + "type": "string" + }, + "secretStoreRef": { + "description": "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.", + "properties": { + "kind": { + "description": "Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`", + "type": "string" + }, + "name": { + "description": "Name of the SecretStore resource", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "target": { + "description": "ExternalSecretTarget defines the Kubernetes Secret to be created\nThere can be only one target per ExternalSecret.", + "properties": { + "creationPolicy": { + "default": "Owner", + "description": "CreationPolicy defines rules on how to create the resulting Secret\nDefaults to 'Owner'", + "enum": [ + "Owner", + "Merge", + "None" + ], + "type": "string" + }, + "immutable": { + "description": "Immutable defines if the final secret will be immutable", + "type": "boolean" + }, + "name": { + "description": "Name defines the name of the Secret resource to be managed\nThis field is immutable\nDefaults to the .metadata.name of the ExternalSecret resource", + "type": "string" + }, + "template": { + "description": "Template defines a blueprint for the created Secret resource.", + "properties": { + "data": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "engineVersion": { + "default": "v1", + "description": "EngineVersion specifies the template engine version\nthat should be used to compile/execute the\ntemplate specified in .data and .templateFrom[].", + "enum": [ + "v1", + "v2" + ], + "type": "string" + }, + "metadata": { + "description": "ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.", + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "templateFrom": { + "items": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMap": { + "properties": { + "items": { + "items": { + "properties": { + "key": { + "type": "string" + } + }, + "required": [ + "key" + ], + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + } + }, + "required": [ + "items", + "name" + ], + "type": "object" + }, + "secret": { + "properties": { + "items": { + "items": { + "properties": { + "key": { + "type": "string" + } + }, + "required": [ + "key" + ], + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + } + }, + "required": [ + "items", + "name" + ], + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "type": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "secretStoreRef", + "target" + ], + "type": "object" + }, + "status": { + "properties": { + "binding": { + "description": "Binding represents a servicebinding.io Provisioned Service reference to the secret", + "properties": { + "name": { + "default": "", + "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.", + "type": "string" + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic" + }, + "conditions": { + "items": { + "properties": { + "lastTransitionTime": { + "format": "date-time", + "type": "string" + }, + "message": { + "type": "string" + }, + "reason": { + "type": "string" + }, + "status": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "status", + "type" + ], + "type": "object" + }, + "type": "array" + }, + "refreshTime": { + "description": "refreshTime is the time and date the external secret was fetched and\nthe target secret updated", + "format": "date-time", + "nullable": true, + "type": "string" + }, + "syncedResourceVersion": { + "description": "SyncedResourceVersion keeps track of the last synced version", + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "served": true, + "storage": false, + "subresources": { + "status": {} + } + }, + { + "additionalPrinterColumns": [ + { + "jsonPath": ".spec.secretStoreRef.name", + "name": "Store", + "type": "string" + }, + { + "jsonPath": ".spec.refreshInterval", + "name": "Refresh Interval", + "type": "string" + }, + { + "jsonPath": ".status.conditions[?(@.type==\"Ready\")].reason", + "name": "Status", + "type": "string" + }, + { + "jsonPath": ".status.conditions[?(@.type==\"Ready\")].status", + "name": "Ready", + "type": "string" + } + ], + "name": "v1beta1", + "schema": { + "openAPIV3Schema": { + "description": "ExternalSecret is the Schema for the external-secrets API.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "ExternalSecretSpec defines the desired state of ExternalSecret.", + "properties": { + "data": { + "description": "Data defines the connection between the Kubernetes Secret keys and the Provider data", + "items": { + "description": "ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data.", + "properties": { + "remoteRef": { + "description": "RemoteRef points to the remote secret and defines\nwhich secret (version/property/..) to fetch.", + "properties": { + "conversionStrategy": { + "default": "Default", + "description": "Used to define a conversion Strategy", + "enum": [ + "Default", + "Unicode" + ], + "type": "string" + }, + "decodingStrategy": { + "default": "None", + "description": "Used to define a decoding Strategy", + "enum": [ + "Auto", + "Base64", + "Base64URL", + "None" + ], + "type": "string" + }, + "key": { + "description": "Key is the key used in the Provider, mandatory", + "type": "string" + }, + "metadataPolicy": { + "default": "None", + "description": "Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None", + "enum": [ + "None", + "Fetch" + ], + "type": "string" + }, + "property": { + "description": "Used to select a specific property of the Provider value (if a map), if supported", + "type": "string" + }, + "version": { + "description": "Used to select a specific version of the Provider value, if supported", + "type": "string" + } + }, + "required": [ + "key" + ], + "type": "object" + }, + "secretKey": { + "description": "SecretKey defines the key in which the controller stores\nthe value. This is the key in the Kind=Secret", + "type": "string" + }, + "sourceRef": { + "description": "SourceRef allows you to override the source\nfrom which the value will pulled from.", + "maxProperties": 1, + "properties": { + "generatorRef": { + "description": "GeneratorRef points to a generator custom resource.\n\n\nDeprecated: The generatorRef is not implemented in .data[].\nthis will be removed with v1.", + "properties": { + "apiVersion": { + "default": "generators.external-secrets.io/v1alpha1", + "description": "Specify the apiVersion of the generator resource", + "type": "string" + }, + "kind": { + "description": "Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.", + "type": "string" + }, + "name": { + "description": "Specify the name of the generator resource", + "type": "string" + } + }, + "required": [ + "kind", + "name" + ], + "type": "object" + }, + "storeRef": { + "description": "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.", + "properties": { + "kind": { + "description": "Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`", + "type": "string" + }, + "name": { + "description": "Name of the SecretStore resource", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "remoteRef", + "secretKey" + ], + "type": "object" + }, + "type": "array" + }, + "dataFrom": { + "description": "DataFrom is used to fetch all properties from a specific Provider data\nIf multiple entries are specified, the Secret keys are merged in the specified order", + "items": { + "properties": { + "extract": { + "description": "Used to extract multiple key/value pairs from one secret\nNote: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.", + "properties": { + "conversionStrategy": { + "default": "Default", + "description": "Used to define a conversion Strategy", + "enum": [ + "Default", + "Unicode" + ], + "type": "string" + }, + "decodingStrategy": { + "default": "None", + "description": "Used to define a decoding Strategy", + "enum": [ + "Auto", + "Base64", + "Base64URL", + "None" + ], + "type": "string" + }, + "key": { + "description": "Key is the key used in the Provider, mandatory", + "type": "string" + }, + "metadataPolicy": { + "default": "None", + "description": "Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None", + "enum": [ + "None", + "Fetch" + ], + "type": "string" + }, + "property": { + "description": "Used to select a specific property of the Provider value (if a map), if supported", + "type": "string" + }, + "version": { + "description": "Used to select a specific version of the Provider value, if supported", + "type": "string" + } + }, + "required": [ + "key" + ], + "type": "object" + }, + "find": { + "description": "Used to find secrets based on tags or regular expressions\nNote: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.", + "properties": { + "conversionStrategy": { + "default": "Default", + "description": "Used to define a conversion Strategy", + "enum": [ + "Default", + "Unicode" + ], + "type": "string" + }, + "decodingStrategy": { + "default": "None", + "description": "Used to define a decoding Strategy", + "enum": [ + "Auto", + "Base64", + "Base64URL", + "None" + ], + "type": "string" + }, + "name": { + "description": "Finds secrets based on the name.", + "properties": { + "regexp": { + "description": "Finds secrets base", + "type": "string" + } + }, + "type": "object" + }, + "path": { + "description": "A root path to start the find operations.", + "type": "string" + }, + "tags": { + "additionalProperties": { + "type": "string" + }, + "description": "Find secrets based on tags.", + "type": "object" + } + }, + "type": "object" + }, + "rewrite": { + "description": "Used to rewrite secret Keys after getting them from the secret Provider\nMultiple Rewrite operations can be provided. They are applied in a layered order (first to last)", + "items": { + "properties": { + "regexp": { + "description": "Used to rewrite with regular expressions.\nThe resulting key will be the output of a regexp.ReplaceAll operation.", + "properties": { + "source": { + "description": "Used to define the regular expression of a re.Compiler.", + "type": "string" + }, + "target": { + "description": "Used to define the target pattern of a ReplaceAll operation.", + "type": "string" + } + }, + "required": [ + "source", + "target" + ], + "type": "object" + }, + "transform": { + "description": "Used to apply string transformation on the secrets.\nThe resulting key will be the output of the template applied by the operation.", + "properties": { + "template": { + "description": "Used to define the template to apply on the secret name.\n`.value ` will specify the secret name in the template.", + "type": "string" + } + }, + "required": [ + "template" + ], + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "sourceRef": { + "description": "SourceRef points to a store or generator\nwhich contains secret values ready to use.\nUse this in combination with Extract or Find pull values out of\na specific SecretStore.\nWhen sourceRef points to a generator Extract or Find is not supported.\nThe generator returns a static map of values", + "maxProperties": 1, + "properties": { + "generatorRef": { + "description": "GeneratorRef points to a generator custom resource.", + "properties": { + "apiVersion": { + "default": "generators.external-secrets.io/v1alpha1", + "description": "Specify the apiVersion of the generator resource", + "type": "string" + }, + "kind": { + "description": "Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.", + "type": "string" + }, + "name": { + "description": "Specify the name of the generator resource", + "type": "string" + } + }, + "required": [ + "kind", + "name" + ], + "type": "object" + }, + "storeRef": { + "description": "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.", + "properties": { + "kind": { + "description": "Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`", + "type": "string" + }, + "name": { + "description": "Name of the SecretStore resource", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "refreshInterval": { + "default": "1h", + "description": "RefreshInterval is the amount of time before the values are read again from the SecretStore provider\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\"\nMay be set to zero to fetch and create it once. Defaults to 1h.", + "type": "string" + }, + "secretStoreRef": { + "description": "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.", + "properties": { + "kind": { + "description": "Kind of the SecretStore resource (SecretStore or ClusterSecretStore)\nDefaults to `SecretStore`", + "type": "string" + }, + "name": { + "description": "Name of the SecretStore resource", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "target": { + "default": { + "creationPolicy": "Owner", + "deletionPolicy": "Retain" + }, + "description": "ExternalSecretTarget defines the Kubernetes Secret to be created\nThere can be only one target per ExternalSecret.", + "properties": { + "creationPolicy": { + "default": "Owner", + "description": "CreationPolicy defines rules on how to create the resulting Secret\nDefaults to 'Owner'", + "enum": [ + "Owner", + "Orphan", + "Merge", + "None" + ], + "type": "string" + }, + "deletionPolicy": { + "default": "Retain", + "description": "DeletionPolicy defines rules on how to delete the resulting Secret\nDefaults to 'Retain'", + "enum": [ + "Delete", + "Merge", + "Retain" + ], + "type": "string" + }, + "immutable": { + "description": "Immutable defines if the final secret will be immutable", + "type": "boolean" + }, + "name": { + "description": "Name defines the name of the Secret resource to be managed\nThis field is immutable\nDefaults to the .metadata.name of the ExternalSecret resource", + "type": "string" + }, + "template": { + "description": "Template defines a blueprint for the created Secret resource.", + "properties": { + "data": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "engineVersion": { + "default": "v2", + "description": "EngineVersion specifies the template engine version\nthat should be used to compile/execute the\ntemplate specified in .data and .templateFrom[].", + "enum": [ + "v1", + "v2" + ], + "type": "string" + }, + "mergePolicy": { + "default": "Replace", + "enum": [ + "Replace", + "Merge" + ], + "type": "string" + }, + "metadata": { + "description": "ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.", + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "templateFrom": { + "items": { + "properties": { + "configMap": { + "properties": { + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "templateAs": { + "default": "Values", + "enum": [ + "Values", + "KeysAndValues" + ], + "type": "string" + } + }, + "required": [ + "key" + ], + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + } + }, + "required": [ + "items", + "name" + ], + "type": "object" + }, + "literal": { + "type": "string" + }, + "secret": { + "properties": { + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "templateAs": { + "default": "Values", + "enum": [ + "Values", + "KeysAndValues" + ], + "type": "string" + } + }, + "required": [ + "key" + ], + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + } + }, + "required": [ + "items", + "name" + ], + "type": "object" + }, + "target": { + "default": "Data", + "enum": [ + "Data", + "Annotations", + "Labels" + ], + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "type": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "status": { + "properties": { + "binding": { + "description": "Binding represents a servicebinding.io Provisioned Service reference to the secret", + "properties": { + "name": { + "default": "", + "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.", + "type": "string" + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic" + }, + "conditions": { + "items": { + "properties": { + "lastTransitionTime": { + "format": "date-time", + "type": "string" + }, + "message": { + "type": "string" + }, + "reason": { + "type": "string" + }, + "status": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "status", + "type" + ], + "type": "object" + }, + "type": "array" + }, + "refreshTime": { + "description": "refreshTime is the time and date the external secret was fetched and\nthe target secret updated", + "format": "date-time", + "nullable": true, + "type": "string" + }, + "syncedResourceVersion": { + "description": "SyncedResourceVersion keeps track of the last synced version", + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "served": true, + "storage": true, + "subresources": { + "status": {} + } + } + ] + }, + "status": { + "acceptedNames": { + "categories": [ + "externalsecrets" + ], + "kind": "ExternalSecret", + "listKind": "ExternalSecretList", + "plural": "externalsecrets", + "shortNames": [ + "es" + ], + "singular": "externalsecret" + }, + "conditions": [ + { + "lastTransitionTime": "2024-01-10T18:09:34Z", + "message": "no conflicts found", + "reason": "NoConflicts", + "status": "True", + "type": "NamesAccepted" + }, + { + "lastTransitionTime": "2024-01-10T18:09:34Z", + "message": "the initial names have been accepted", + "reason": "InitialNamesAccepted", + "status": "True", + "type": "Established" + } + ], + "storedVersions": [ + "v1beta1" + ] + } + } \ No newline at end of file diff --git a/crds/external-secrets/external-secrets.io_externalsecrets.yaml b/crds/external-secrets/external-secrets.io_externalsecrets.yaml new file mode 100644 index 0000000000..0bdf259b24 --- /dev/null +++ b/crds/external-secrets/external-secrets.io_externalsecrets.yaml @@ -0,0 +1,872 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + external-secrets.io/component: controller + name: externalsecrets.external-secrets.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: external-secrets-webhook + namespace: external-secrets + path: /convert + port: 443 + conversionReviewVersions: + - v1 + group: external-secrets.io + names: + categories: + - externalsecrets + kind: ExternalSecret + listKind: ExternalSecretList + plural: externalsecrets + shortNames: + - es + singular: externalsecret + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.externalSecretSpec.secretStoreRef.name + name: Store + type: string + - jsonPath: .spec.refreshTime + name: Refresh Interval + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + deprecated: true + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExternalSecret is the Schema for the external-secrets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ExternalSecretSpec defines the desired state of ExternalSecret. + properties: + data: + description: Data defines the connection between the Kubernetes Secret + keys and the Provider data + items: + description: ExternalSecretData defines the connection between the + Kubernetes Secret key (spec.data.) and the Provider data. + properties: + remoteRef: + description: ExternalSecretDataRemoteRef defines Provider data + location. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + enum: + - Default + - Unicode + type: string + key: + description: Key is the key used in the Provider, mandatory + type: string + property: + description: Used to select a specific property of the Provider + value (if a map), if supported + type: string + version: + description: Used to select a specific version of the Provider + value, if supported + type: string + required: + - key + type: object + secretKey: + type: string + required: + - remoteRef + - secretKey + type: object + type: array + dataFrom: + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order + items: + description: ExternalSecretDataRemoteRef defines Provider data location. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + enum: + - Default + - Unicode + type: string + key: + description: Key is the key used in the Provider, mandatory + type: string + property: + description: Used to select a specific property of the Provider + value (if a map), if supported + type: string + version: + description: Used to select a specific version of the Provider + value, if supported + type: string + required: + - key + type: object + type: array + refreshInterval: + default: 1h + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. + type: string + secretStoreRef: + description: SecretStoreRef defines which SecretStore to fetch the + ExternalSecret data. + properties: + kind: + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` + type: string + name: + description: Name of the SecretStore resource + type: string + required: + - name + type: object + target: + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. + properties: + creationPolicy: + default: Owner + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' + enum: + - Owner + - Merge + - None + type: string + immutable: + description: Immutable defines if the final secret will be immutable + type: boolean + name: + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource + type: string + template: + description: Template defines a blueprint for the created Secret + resource. + properties: + data: + additionalProperties: + type: string + type: object + engineVersion: + default: v1 + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 + type: string + metadata: + description: ExternalSecretTemplateMetadata defines metadata + fields for the Secret blueprint. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + templateFrom: + items: + maxProperties: 1 + minProperties: 1 + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + type: object + type: array + type: + type: string + type: object + type: object + required: + - secretStoreRef + - target + type: object + status: + properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service + reference to the secret + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + refreshTime: + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated + format: date-time + nullable: true + type: string + syncedResourceVersion: + description: SyncedResourceVersion keeps track of the last synced + version + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.secretStoreRef.name + name: Store + type: string + - jsonPath: .spec.refreshInterval + name: Refresh Interval + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].reason + name: Status + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: ExternalSecret is the Schema for the external-secrets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ExternalSecretSpec defines the desired state of ExternalSecret. + properties: + data: + description: Data defines the connection between the Kubernetes Secret + keys and the Provider data + items: + description: ExternalSecretData defines the connection between the + Kubernetes Secret key (spec.data.) and the Provider data. + properties: + remoteRef: + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + enum: + - Default + - Unicode + type: string + decodingStrategy: + default: None + description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None + type: string + key: + description: Key is the key used in the Provider, mandatory + type: string + metadataPolicy: + default: None + description: Policy for fetching tags/labels from provider + secrets, possible options are Fetch, None. Defaults to + None + enum: + - None + - Fetch + type: string + property: + description: Used to select a specific property of the Provider + value (if a map), if supported + type: string + version: + description: Used to select a specific version of the Provider + value, if supported + type: string + required: + - key + type: object + secretKey: + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret + type: string + sourceRef: + description: |- + SourceRef allows you to override the source + from which the value will pulled from. + maxProperties: 1 + properties: + generatorRef: + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. + properties: + apiVersion: + default: generators.external-secrets.io/v1alpha1 + description: Specify the apiVersion of the generator + resource + type: string + kind: + description: Specify the Kind of the resource, e.g. + Password, ACRAccessToken etc. + type: string + name: + description: Specify the name of the generator resource + type: string + required: + - kind + - name + type: object + storeRef: + description: SecretStoreRef defines which SecretStore to + fetch the ExternalSecret data. + properties: + kind: + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` + type: string + name: + description: Name of the SecretStore resource + type: string + required: + - name + type: object + type: object + required: + - remoteRef + - secretKey + type: object + type: array + dataFrom: + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order + items: + properties: + extract: + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + enum: + - Default + - Unicode + type: string + decodingStrategy: + default: None + description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None + type: string + key: + description: Key is the key used in the Provider, mandatory + type: string + metadataPolicy: + default: None + description: Policy for fetching tags/labels from provider + secrets, possible options are Fetch, None. Defaults to + None + enum: + - None + - Fetch + type: string + property: + description: Used to select a specific property of the Provider + value (if a map), if supported + type: string + version: + description: Used to select a specific version of the Provider + value, if supported + type: string + required: + - key + type: object + find: + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + enum: + - Default + - Unicode + type: string + decodingStrategy: + default: None + description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None + type: string + name: + description: Finds secrets based on the name. + properties: + regexp: + description: Finds secrets base + type: string + type: object + path: + description: A root path to start the find operations. + type: string + tags: + additionalProperties: + type: string + description: Find secrets based on tags. + type: object + type: object + rewrite: + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + items: + properties: + regexp: + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. + properties: + source: + description: Used to define the regular expression + of a re.Compiler. + type: string + target: + description: Used to define the target pattern of + a ReplaceAll operation. + type: string + required: + - source + - target + type: object + transform: + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. + properties: + template: + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object + type: object + type: array + sourceRef: + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values + maxProperties: 1 + properties: + generatorRef: + description: GeneratorRef points to a generator custom resource. + properties: + apiVersion: + default: generators.external-secrets.io/v1alpha1 + description: Specify the apiVersion of the generator + resource + type: string + kind: + description: Specify the Kind of the resource, e.g. + Password, ACRAccessToken etc. + type: string + name: + description: Specify the name of the generator resource + type: string + required: + - kind + - name + type: object + storeRef: + description: SecretStoreRef defines which SecretStore to + fetch the ExternalSecret data. + properties: + kind: + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` + type: string + name: + description: Name of the SecretStore resource + type: string + required: + - name + type: object + type: object + type: object + type: array + refreshInterval: + default: 1h + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. + type: string + secretStoreRef: + description: SecretStoreRef defines which SecretStore to fetch the + ExternalSecret data. + properties: + kind: + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` + type: string + name: + description: Name of the SecretStore resource + type: string + required: + - name + type: object + target: + default: + creationPolicy: Owner + deletionPolicy: Retain + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. + properties: + creationPolicy: + default: Owner + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' + enum: + - Owner + - Orphan + - Merge + - None + type: string + deletionPolicy: + default: Retain + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' + enum: + - Delete + - Merge + - Retain + type: string + immutable: + description: Immutable defines if the final secret will be immutable + type: boolean + name: + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource + type: string + template: + description: Template defines a blueprint for the created Secret + resource. + properties: + data: + additionalProperties: + type: string + type: object + engineVersion: + default: v2 + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 + type: string + mergePolicy: + default: Replace + enum: + - Replace + - Merge + type: string + metadata: + description: ExternalSecretTemplateMetadata defines metadata + fields for the Secret blueprint. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + templateFrom: + items: + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + templateAs: + default: Values + enum: + - Values + - KeysAndValues + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + literal: + type: string + secret: + properties: + items: + items: + properties: + key: + type: string + templateAs: + default: Values + enum: + - Values + - KeysAndValues + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + target: + default: Data + enum: + - Data + - Annotations + - Labels + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: object + status: + properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service + reference to the secret + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + refreshTime: + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated + format: date-time + nullable: true + type: string + syncedResourceVersion: + description: SyncedResourceVersion keeps track of the last synced + version + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + categories: + - externalsecrets + kind: ExternalSecret + listKind: ExternalSecretList + plural: externalsecrets + shortNames: + - es + singular: externalsecret + conditions: + - lastTransitionTime: "2024-01-10T18:09:34Z" + message: no conflicts found + reason: NoConflicts + status: "True" + type: NamesAccepted + - lastTransitionTime: "2024-01-10T18:09:34Z" + message: the initial names have been accepted + reason: InitialNamesAccepted + status: "True" + type: Established + storedVersions: + - v1beta1