--- # Source: external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.19.0 labels: external-secrets.io/component: controller name: externalsecrets.external-secrets.io spec: group: external-secrets.io names: categories: - external-secrets kind: ExternalSecret listKind: ExternalSecretList plural: externalsecrets shortNames: - es singular: externalsecret scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .spec.secretStoreRef.kind name: StoreType type: string - jsonPath: .spec.secretStoreRef.name name: Store type: string - jsonPath: .spec.refreshInterval name: Refresh Interval type: string - jsonPath: .status.conditions[?(@.type=="Ready")].reason name: Status type: string - jsonPath: .status.conditions[?(@.type=="Ready")].status name: Ready type: string name: v1 schema: openAPIV3Schema: description: |- ExternalSecret is the Schema for the external-secrets API. It defines how to fetch data from external APIs and make it available as Kubernetes Secrets. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ExternalSecretSpec defines the desired state of ExternalSecret. properties: data: description: Data defines the connection between the Kubernetes Secret keys and the Provider data items: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: description: |- RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default description: Used to define a conversion Strategy enum: - Default - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy enum: - Auto - Base64 - Base64URL - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None enum: - None - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported type: string version: description: Used to select a specific version of the Provider value, if supported type: string required: - key type: object secretKey: description: The key in the Kubernetes Secret to store the value. maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string sourceRef: description: |- SourceRef allows you to override the source from which the value will be pulled. maxProperties: 1 minProperties: 1 properties: generatorRef: description: |- GeneratorRef points to a generator custom resource. Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 description: Specify the apiVersion of the generator resource type: string kind: description: Specify the Kind of the generator resource enum: - ACRAccessToken - ClusterGenerator - CloudsmithAccessToken - ECRAuthorizationToken - Fake - GCRAccessToken - GithubAccessToken - QuayAccessToken - Password - SSHKey - STSSessionToken - UUID - VaultDynamicSecret - Webhook - Grafana - MFA type: string name: description: Specify the name of the generator resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - kind - name type: object storeRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: description: |- Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` enum: - SecretStore - ClusterSecretStore type: string name: description: Name of the SecretStore resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: object type: object required: - remoteRef - secretKey type: object type: array dataFrom: description: |- DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order items: description: |- ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data when using DataFrom to fetch multiple values from a Provider. properties: extract: description: |- Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default description: Used to define a conversion Strategy enum: - Default - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy enum: - Auto - Base64 - Base64URL - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None enum: - None - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported type: string version: description: Used to select a specific version of the Provider value, if supported type: string required: - key type: object find: description: |- Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default description: Used to define a conversion Strategy enum: - Default - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy enum: - Auto - Base64 - Base64URL - None type: string name: description: Finds secrets based on the name. properties: regexp: description: Finds secrets base type: string type: object path: description: A root path to start the find operations. type: string tags: additionalProperties: type: string description: Find secrets based on tags. type: object type: object rewrite: description: |- Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret. maxProperties: 1 minProperties: 1 properties: merge: description: |- Used to merge key/values in one single Secret The resulting key will contain all values from the specified secrets properties: conflictPolicy: default: Error description: Used to define the policy to use in conflict resolution. enum: - Ignore - Error type: string into: default: "" description: |- Used to define the target key of the merge operation. Required if strategy is JSON. Ignored otherwise. type: string priority: description: Used to define key priority in conflict resolution. items: type: string type: array priorityPolicy: default: Strict description: Used to define the policy when a key in the priority list does not exist in the input. enum: - IgnoreNotFound - Strict type: string strategy: default: Extract description: Used to define the strategy to use in the merge operation. enum: - Extract - JSON type: string type: object regexp: description: |- Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. type: string target: description: Used to define the target pattern of a ReplaceAll operation. type: string required: - source - target type: object transform: description: |- Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. properties: template: description: |- Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. type: string required: - template type: object type: object type: array sourceRef: description: |- SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values maxProperties: 1 minProperties: 1 properties: generatorRef: description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 description: Specify the apiVersion of the generator resource type: string kind: description: Specify the Kind of the generator resource enum: - ACRAccessToken - ClusterGenerator - CloudsmithAccessToken - ECRAuthorizationToken - Fake - GCRAccessToken - GithubAccessToken - QuayAccessToken - Password - SSHKey - STSSessionToken - UUID - VaultDynamicSecret - Webhook - Grafana - MFA type: string name: description: Specify the name of the generator resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - kind - name type: object storeRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: description: |- Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` enum: - SecretStore - ClusterSecretStore type: string name: description: Name of the SecretStore resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: object type: object type: object type: array refreshInterval: default: 1h description: |- RefreshInterval is the amount of time before the values are read again from the SecretStore provider, specified as Golang Duration strings. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" Example values: "1h", "2h30m", "10s" May be set to zero to fetch and create it once. Defaults to 1h. type: string refreshPolicy: description: |- RefreshPolicy determines how the ExternalSecret should be refreshed: - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. No periodic updates occur if refreshInterval is 0. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes enum: - CreatedOnce - Periodic - OnChange type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: description: |- Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` enum: - SecretStore - ClusterSecretStore type: string name: description: Name of the SecretStore resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: object target: default: creationPolicy: Owner deletionPolicy: Retain description: |- ExternalSecretTarget defines the Kubernetes Secret to be created, there can be only one target per ExternalSecret. properties: creationPolicy: default: Owner description: |- CreationPolicy defines rules on how to create the resulting Secret. Defaults to "Owner" enum: - Owner - Orphan - Merge - None type: string deletionPolicy: default: Retain description: |- DeletionPolicy defines rules on how to delete the resulting Secret. Defaults to "Retain" enum: - Delete - Merge - Retain type: string immutable: description: Immutable defines if the final secret will be immutable type: boolean manifest: description: |- Manifest defines a custom Kubernetes resource to create instead of a Secret. When specified, ExternalSecret will create the resource type defined here (e.g., ConfigMap, Custom Resource) instead of a Secret. Warning: Using Generic target. Make sure access policies and encryption are properly configured. properties: apiVersion: description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application) minLength: 1 type: string kind: description: Kind of the target resource (e.g., "ConfigMap", "Application") minLength: 1 type: string required: - apiVersion - kind type: object name: description: |- The name of the Secret resource to be managed. Defaults to the .metadata.name of the ExternalSecret resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string template: description: Template defines a blueprint for the created Secret resource. properties: data: additionalProperties: type: string type: object engineVersion: default: v2 description: |- EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. enum: - v2 type: string mergePolicy: default: Replace description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data. enum: - Replace - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: annotations: additionalProperties: type: string type: object finalizers: items: type: string type: array labels: additionalProperties: type: string type: object type: object templateFrom: items: description: |- TemplateFrom specifies a source for templates. Each item in the list can either reference a ConfigMap or a Secret resource. properties: configMap: description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. properties: items: description: A list of keys in the ConfigMap/Secret to use as templates for Secret data items: description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. properties: key: description: A key in the ConfigMap/Secret maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string templateAs: default: Values description: TemplateScope specifies how the template keys should be interpreted. enum: - Values - KeysAndValues type: string required: - key type: object type: array name: description: The name of the ConfigMap/Secret resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - items - name type: object literal: type: string secret: description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. properties: items: description: A list of keys in the ConfigMap/Secret to use as templates for Secret data items: description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. properties: key: description: A key in the ConfigMap/Secret maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string templateAs: default: Values description: TemplateScope specifies how the template keys should be interpreted. enum: - Values - KeysAndValues type: string required: - key type: object type: array name: description: The name of the ConfigMap/Secret resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - items - name type: object target: default: Data description: |- Target specifies where to place the template result. For Secret resources, common values are: "Data", "Annotations", "Labels". For custom resources (when spec.target.manifest is set), this supports nested paths like "spec.database.config" or "data". type: string type: object type: array type: type: string type: object type: object type: object status: description: ExternalSecretStatus defines the observed state of ExternalSecret. properties: binding: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: default: "" description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string type: object x-kubernetes-map-type: atomic conditions: items: description: ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource. properties: lastTransitionTime: format: date-time type: string message: type: string reason: type: string status: type: string type: description: ExternalSecretConditionType defines a value type for ExternalSecret conditions. enum: - Ready - Deleted type: string required: - status - type type: object type: array refreshTime: description: |- refreshTime is the time and date the external secret was fetched and the target secret updated format: date-time nullable: true type: string syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version type: string type: object type: object selectableFields: - jsonPath: .spec.secretStoreRef.name - jsonPath: .spec.secretStoreRef.kind - jsonPath: .spec.target.name - jsonPath: .spec.refreshInterval served: true storage: true subresources: status: {} - additionalPrinterColumns: - jsonPath: .spec.secretStoreRef.kind name: StoreType type: string - jsonPath: .spec.secretStoreRef.name name: Store type: string - jsonPath: .spec.refreshInterval name: Refresh Interval type: string - jsonPath: .status.conditions[?(@.type=="Ready")].reason name: Status type: string - jsonPath: .status.conditions[?(@.type=="Ready")].status name: Ready type: string deprecated: true name: v1beta1 schema: openAPIV3Schema: description: ExternalSecret is the schema for the external-secrets API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ExternalSecretSpec defines the desired state of ExternalSecret. properties: data: description: Data defines the connection between the Kubernetes Secret keys and the Provider data items: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: description: |- RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default description: Used to define a conversion Strategy enum: - Default - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy enum: - Auto - Base64 - Base64URL - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None enum: - None - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported type: string version: description: Used to select a specific version of the Provider value, if supported type: string required: - key type: object secretKey: description: The key in the Kubernetes Secret to store the value. maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string sourceRef: description: |- SourceRef allows you to override the source from which the value will be pulled. maxProperties: 1 minProperties: 1 properties: generatorRef: description: |- GeneratorRef points to a generator custom resource. Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 description: Specify the apiVersion of the generator resource type: string kind: description: Specify the Kind of the generator resource enum: - ACRAccessToken - ClusterGenerator - ECRAuthorizationToken - Fake - GCRAccessToken - GithubAccessToken - QuayAccessToken - Password - SSHKey - STSSessionToken - UUID - VaultDynamicSecret - Webhook - Grafana type: string name: description: Specify the name of the generator resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - kind - name type: object storeRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: description: |- Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` enum: - SecretStore - ClusterSecretStore type: string name: description: Name of the SecretStore resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: object type: object required: - remoteRef - secretKey type: object type: array dataFrom: description: |- DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options. properties: extract: description: |- Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default description: Used to define a conversion Strategy enum: - Default - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy enum: - Auto - Base64 - Base64URL - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None enum: - None - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported type: string version: description: Used to select a specific version of the Provider value, if supported type: string required: - key type: object find: description: |- Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default description: Used to define a conversion Strategy enum: - Default - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy enum: - Auto - Base64 - Base64URL - None type: string name: description: Finds secrets based on the name. properties: regexp: description: Finds secrets base type: string type: object path: description: A root path to start the find operations. type: string tags: additionalProperties: type: string description: Find secrets based on tags. type: object type: object rewrite: description: |- Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: description: ExternalSecretRewrite defines rules on how to rewrite secret keys. maxProperties: 1 minProperties: 1 properties: regexp: description: |- Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. type: string target: description: Used to define the target pattern of a ReplaceAll operation. type: string required: - source - target type: object transform: description: |- Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. properties: template: description: |- Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. type: string required: - template type: object type: object type: array sourceRef: description: |- SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values maxProperties: 1 minProperties: 1 properties: generatorRef: description: GeneratorRef points to a generator custom resource. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 description: Specify the apiVersion of the generator resource type: string kind: description: Specify the Kind of the generator resource enum: - ACRAccessToken - ClusterGenerator - ECRAuthorizationToken - Fake - GCRAccessToken - GithubAccessToken - QuayAccessToken - Password - SSHKey - STSSessionToken - UUID - VaultDynamicSecret - Webhook - Grafana type: string name: description: Specify the name of the generator resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - kind - name type: object storeRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: description: |- Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` enum: - SecretStore - ClusterSecretStore type: string name: description: Name of the SecretStore resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: object type: object type: object type: array refreshInterval: default: 1h description: |- RefreshInterval is the amount of time before the values are read again from the SecretStore provider, specified as Golang Duration strings. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" Example values: "1h", "2h30m", "10s" May be set to zero to fetch and create it once. Defaults to 1h. type: string refreshPolicy: description: |- RefreshPolicy determines how the ExternalSecret should be refreshed: - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval. No periodic updates occur if refreshInterval is 0. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes enum: - CreatedOnce - Periodic - OnChange type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: description: |- Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` enum: - SecretStore - ClusterSecretStore type: string name: description: Name of the SecretStore resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: object target: default: creationPolicy: Owner deletionPolicy: Retain description: |- ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner description: |- CreationPolicy defines rules on how to create the resulting Secret. Defaults to "Owner" enum: - Owner - Orphan - Merge - None type: string deletionPolicy: default: Retain description: |- DeletionPolicy defines rules on how to delete the resulting Secret. Defaults to "Retain" enum: - Delete - Merge - Retain type: string immutable: description: Immutable defines if the final secret will be immutable type: boolean name: description: |- The name of the Secret resource to be managed. Defaults to the .metadata.name of the ExternalSecret resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string template: description: Template defines a blueprint for the created Secret resource. properties: data: additionalProperties: type: string type: object engineVersion: default: v2 description: |- EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. enum: - v2 type: string mergePolicy: default: Replace description: TemplateMergePolicy defines how template values should be merged when generating a secret. enum: - Replace - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: annotations: additionalProperties: type: string type: object labels: additionalProperties: type: string type: object type: object templateFrom: items: description: TemplateFrom defines a source for template data. properties: configMap: description: TemplateRef defines a reference to a template source in a ConfigMap or Secret. properties: items: description: A list of keys in the ConfigMap/Secret to use as templates for Secret data items: description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template. properties: key: description: A key in the ConfigMap/Secret maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string templateAs: default: Values description: TemplateScope defines the scope of the template when processing template data. enum: - Values - KeysAndValues type: string required: - key type: object type: array name: description: The name of the ConfigMap/Secret resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - items - name type: object literal: type: string secret: description: TemplateRef defines a reference to a template source in a ConfigMap or Secret. properties: items: description: A list of keys in the ConfigMap/Secret to use as templates for Secret data items: description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template. properties: key: description: A key in the ConfigMap/Secret maxLength: 253 minLength: 1 pattern: ^[-._a-zA-Z0-9]+$ type: string templateAs: default: Values description: TemplateScope defines the scope of the template when processing template data. enum: - Values - KeysAndValues type: string required: - key type: object type: array name: description: The name of the ConfigMap/Secret resource maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - items - name type: object target: default: Data description: TemplateTarget defines the target field where the template result will be stored. enum: - Data - Annotations - Labels type: string type: object type: array type: type: string type: object type: object type: object status: description: ExternalSecretStatus defines the observed state of ExternalSecret. properties: binding: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: default: "" description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string type: object x-kubernetes-map-type: atomic conditions: items: description: ExternalSecretStatusCondition contains condition information for an ExternalSecret. properties: lastTransitionTime: format: date-time type: string message: type: string reason: type: string status: type: string type: description: ExternalSecretConditionType defines the condition type for an ExternalSecret. type: string required: - status - type type: object type: array refreshTime: description: |- refreshTime is the time and date the external secret was fetched and the target secret updated format: date-time nullable: true type: string syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version type: string type: object type: object served: false storage: false subresources: status: {}