--- # Source: external-secrets/charts/external-secrets/templates/crds/clusterpushsecret.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.19.0 labels: external-secrets.io/component: controller name: clusterpushsecrets.external-secrets.io spec: group: external-secrets.io names: categories: - external-secrets kind: ClusterPushSecret listKind: ClusterPushSecretList plural: clusterpushsecrets singular: clusterpushsecret scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: AGE type: date - jsonPath: .status.conditions[?(@.type=="Ready")].reason name: Status type: string name: v1alpha1 schema: openAPIV3Schema: description: ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource. properties: namespaceSelectors: description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed. items: description: |- A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: array pushSecretMetadata: description: The metadata of the external secrets to be created properties: annotations: additionalProperties: type: string type: object labels: additionalProperties: type: string type: object type: object pushSecretName: description: |- The name of the push secrets to be created. Defaults to the name of the ClusterPushSecret maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string pushSecretSpec: description: PushSecretSpec defines what to do with the secrets. properties: data: description: Secret Data that should be pushed to providers items: description: PushSecretData defines data to be pushed to the provider and associated metadata. properties: conversionStrategy: default: None description: Used to define a conversion Strategy for the secret keys enum: - None - ReverseUnicode type: string match: description: Match a given Secret Key to be pushed to the provider. properties: remoteRef: description: Remote Refs to push to providers. properties: property: description: Name of the property in the resulting secret type: string remoteKey: description: Name of the resulting provider secret. type: string required: - remoteKey type: object secretKey: description: Secret Key to be pushed type: string required: - remoteRef type: object metadata: description: |- Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match type: object type: array deletionPolicy: default: None description: Deletion Policy to handle Secrets in the provider. enum: - Delete - None type: string refreshInterval: default: 1h description: The Interval to which External Secrets will try to push a secret definition type: string secretStoreRefs: items: description: PushSecretStoreRef contains a reference on how to sync to a SecretStore. properties: kind: default: SecretStore description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) enum: - SecretStore - ClusterSecretStore type: string labelSelector: description: Optionally, sync to secret stores with label selector properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic name: description: Optionally, sync to the SecretStore of the given name maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: object type: array selector: description: The Secret Selector (k8s source) for the Push Secret maxProperties: 1 minProperties: 1 properties: generatorRef: description: Point to a generator to create a Secret. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 description: Specify the apiVersion of the generator resource type: string kind: description: Specify the Kind of the generator resource enum: - ACRAccessToken - ClusterGenerator - CloudsmithAccessToken - ECRAuthorizationToken - Fake - GCRAccessToken - GithubAccessToken - QuayAccessToken - Password - SSHKey - STSSessionToken - UUID - VaultDynamicSecret - Webhook - Grafana - MFA type: string name: description: Specify the name of the generator resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - kind - name type: object secret: description: Select a Secret to Push. properties: name: description: |- Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string selector: description: Selector chooses secrets using a labelSelector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object type: object template: description: Template defines a blueprint for the created Secret resource. properties: data: additionalProperties: type: string type: object engineVersion: default: v2 description: |- EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. enum: - v2 type: string mergePolicy: default: Replace description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data. enum: - Replace - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: annotations: additionalProperties: type: string type: object finalizers: items: type: string type: array labels: additionalProperties: type: string type: object type: object templateFrom: items: description: |- TemplateFrom specifies a source for templates. Each item in the list can either reference a ConfigMap or a Secret resource. properties: configMap: description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. properties: items: description: A list of keys in the ConfigMap/Secret to use as templates for Secret data items: description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. properties: key: description: A key in the ConfigMap/Secret maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string templateAs: default: Values description: TemplateScope specifies how the template keys should be interpreted. enum: - Values - KeysAndValues type: string required: - key type: object type: array name: description: The name of the ConfigMap/Secret resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - items - name type: object literal: type: string secret: description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. properties: items: description: A list of keys in the ConfigMap/Secret to use as templates for Secret data items: description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. properties: key: description: A key in the ConfigMap/Secret maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string templateAs: default: Values description: TemplateScope specifies how the template keys should be interpreted. enum: - Values - KeysAndValues type: string required: - key type: object type: array name: description: The name of the ConfigMap/Secret resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - items - name type: object target: default: Data description: |- Target specifies where to place the template result. For Secret resources, common values are: "Data", "Annotations", "Labels". For custom resources (when spec.target.manifest is set), this supports nested paths like "spec.database.config" or "data". type: string type: object type: array type: type: string type: object updatePolicy: default: Replace description: UpdatePolicy to handle Secrets in the provider. enum: - Replace - IfNotExists type: string required: - secretStoreRefs - selector type: object refreshTime: description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - pushSecretSpec type: object status: description: ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource. properties: conditions: items: description: PushSecretStatusCondition indicates the status of the PushSecret. properties: lastTransitionTime: format: date-time type: string message: type: string reason: type: string status: type: string type: description: PushSecretConditionType indicates the condition of the PushSecret. type: string required: - status - type type: object type: array failedNamespaces: description: Failed namespaces are the namespaces that failed to apply an PushSecret items: description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason. properties: namespace: description: Namespace is the namespace that failed when trying to apply an PushSecret type: string reason: description: Reason is why the PushSecret failed to apply to the namespace type: string required: - namespace type: object type: array provisionedNamespaces: description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets items: type: string type: array pushSecretName: type: string type: object type: object served: true storage: true subresources: status: {}