1560 lines
84 KiB
Io
1560 lines
84 KiB
Io
---
|
|
# Source: external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.19.0
|
|
labels:
|
|
external-secrets.io/component: controller
|
|
name: clusterexternalsecrets.external-secrets.io
|
|
spec:
|
|
group: external-secrets.io
|
|
names:
|
|
categories:
|
|
- external-secrets
|
|
kind: ClusterExternalSecret
|
|
listKind: ClusterExternalSecretList
|
|
plural: clusterexternalsecrets
|
|
shortNames:
|
|
- ces
|
|
singular: clusterexternalsecret
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.externalSecretSpec.secretStoreRef.name
|
|
name: Store
|
|
type: string
|
|
- jsonPath: .spec.refreshTime
|
|
name: Refresh Interval
|
|
type: string
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|
name: Ready
|
|
type: string
|
|
name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
|
|
properties:
|
|
externalSecretMetadata:
|
|
description: The metadata of the external secrets to be created
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
externalSecretName:
|
|
description: |-
|
|
The name of the external secrets to be created.
|
|
Defaults to the name of the ClusterExternalSecret
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
externalSecretSpec:
|
|
description: The spec for the ExternalSecrets to be created
|
|
properties:
|
|
data:
|
|
description: Data defines the connection between the Kubernetes Secret keys and the Provider data
|
|
items:
|
|
description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
|
|
properties:
|
|
remoteRef:
|
|
description: |-
|
|
RemoteRef points to the remote secret and defines
|
|
which secret (version/property/..) to fetch.
|
|
properties:
|
|
conversionStrategy:
|
|
default: Default
|
|
description: Used to define a conversion Strategy
|
|
enum:
|
|
- Default
|
|
- Unicode
|
|
type: string
|
|
decodingStrategy:
|
|
default: None
|
|
description: Used to define a decoding Strategy
|
|
enum:
|
|
- Auto
|
|
- Base64
|
|
- Base64URL
|
|
- None
|
|
type: string
|
|
key:
|
|
description: Key is the key used in the Provider, mandatory
|
|
type: string
|
|
metadataPolicy:
|
|
default: None
|
|
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
|
|
enum:
|
|
- None
|
|
- Fetch
|
|
type: string
|
|
property:
|
|
description: Used to select a specific property of the Provider value (if a map), if supported
|
|
type: string
|
|
version:
|
|
description: Used to select a specific version of the Provider value, if supported
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
secretKey:
|
|
description: The key in the Kubernetes Secret to store the value.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[-._a-zA-Z0-9]+$
|
|
type: string
|
|
sourceRef:
|
|
description: |-
|
|
SourceRef allows you to override the source
|
|
from which the value will be pulled.
|
|
maxProperties: 1
|
|
minProperties: 1
|
|
properties:
|
|
generatorRef:
|
|
description: |-
|
|
GeneratorRef points to a generator custom resource.
|
|
|
|
Deprecated: The generatorRef is not implemented in .data[].
|
|
this will be removed with v1.
|
|
properties:
|
|
apiVersion:
|
|
default: generators.external-secrets.io/v1alpha1
|
|
description: Specify the apiVersion of the generator resource
|
|
type: string
|
|
kind:
|
|
description: Specify the Kind of the generator resource
|
|
enum:
|
|
- ACRAccessToken
|
|
- ClusterGenerator
|
|
- CloudsmithAccessToken
|
|
- ECRAuthorizationToken
|
|
- Fake
|
|
- GCRAccessToken
|
|
- GithubAccessToken
|
|
- QuayAccessToken
|
|
- Password
|
|
- SSHKey
|
|
- STSSessionToken
|
|
- UUID
|
|
- VaultDynamicSecret
|
|
- Webhook
|
|
- Grafana
|
|
- MFA
|
|
type: string
|
|
name:
|
|
description: Specify the name of the generator resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
storeRef:
|
|
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
|
|
properties:
|
|
kind:
|
|
description: |-
|
|
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
|
|
Defaults to `SecretStore`
|
|
enum:
|
|
- SecretStore
|
|
- ClusterSecretStore
|
|
type: string
|
|
name:
|
|
description: Name of the SecretStore resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
type: object
|
|
type: object
|
|
required:
|
|
- remoteRef
|
|
- secretKey
|
|
type: object
|
|
type: array
|
|
dataFrom:
|
|
description: |-
|
|
DataFrom is used to fetch all properties from a specific Provider data
|
|
If multiple entries are specified, the Secret keys are merged in the specified order
|
|
items:
|
|
description: |-
|
|
ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
|
|
when using DataFrom to fetch multiple values from a Provider.
|
|
properties:
|
|
extract:
|
|
description: |-
|
|
Used to extract multiple key/value pairs from one secret
|
|
Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
|
|
properties:
|
|
conversionStrategy:
|
|
default: Default
|
|
description: Used to define a conversion Strategy
|
|
enum:
|
|
- Default
|
|
- Unicode
|
|
type: string
|
|
decodingStrategy:
|
|
default: None
|
|
description: Used to define a decoding Strategy
|
|
enum:
|
|
- Auto
|
|
- Base64
|
|
- Base64URL
|
|
- None
|
|
type: string
|
|
key:
|
|
description: Key is the key used in the Provider, mandatory
|
|
type: string
|
|
metadataPolicy:
|
|
default: None
|
|
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
|
|
enum:
|
|
- None
|
|
- Fetch
|
|
type: string
|
|
property:
|
|
description: Used to select a specific property of the Provider value (if a map), if supported
|
|
type: string
|
|
version:
|
|
description: Used to select a specific version of the Provider value, if supported
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
find:
|
|
description: |-
|
|
Used to find secrets based on tags or regular expressions
|
|
Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
|
|
properties:
|
|
conversionStrategy:
|
|
default: Default
|
|
description: Used to define a conversion Strategy
|
|
enum:
|
|
- Default
|
|
- Unicode
|
|
type: string
|
|
decodingStrategy:
|
|
default: None
|
|
description: Used to define a decoding Strategy
|
|
enum:
|
|
- Auto
|
|
- Base64
|
|
- Base64URL
|
|
- None
|
|
type: string
|
|
name:
|
|
description: Finds secrets based on the name.
|
|
properties:
|
|
regexp:
|
|
description: Finds secrets base
|
|
type: string
|
|
type: object
|
|
path:
|
|
description: A root path to start the find operations.
|
|
type: string
|
|
tags:
|
|
additionalProperties:
|
|
type: string
|
|
description: Find secrets based on tags.
|
|
type: object
|
|
type: object
|
|
rewrite:
|
|
description: |-
|
|
Used to rewrite secret Keys after getting them from the secret Provider
|
|
Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
|
|
items:
|
|
description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
|
|
maxProperties: 1
|
|
minProperties: 1
|
|
properties:
|
|
merge:
|
|
description: |-
|
|
Used to merge key/values in one single Secret
|
|
The resulting key will contain all values from the specified secrets
|
|
properties:
|
|
conflictPolicy:
|
|
default: Error
|
|
description: Used to define the policy to use in conflict resolution.
|
|
enum:
|
|
- Ignore
|
|
- Error
|
|
type: string
|
|
into:
|
|
default: ""
|
|
description: |-
|
|
Used to define the target key of the merge operation.
|
|
Required if strategy is JSON. Ignored otherwise.
|
|
type: string
|
|
priority:
|
|
description: Used to define key priority in conflict resolution.
|
|
items:
|
|
type: string
|
|
type: array
|
|
priorityPolicy:
|
|
default: Strict
|
|
description: Used to define the policy when a key in the priority list does not exist in the input.
|
|
enum:
|
|
- IgnoreNotFound
|
|
- Strict
|
|
type: string
|
|
strategy:
|
|
default: Extract
|
|
description: Used to define the strategy to use in the merge operation.
|
|
enum:
|
|
- Extract
|
|
- JSON
|
|
type: string
|
|
type: object
|
|
regexp:
|
|
description: |-
|
|
Used to rewrite with regular expressions.
|
|
The resulting key will be the output of a regexp.ReplaceAll operation.
|
|
properties:
|
|
source:
|
|
description: Used to define the regular expression of a re.Compiler.
|
|
type: string
|
|
target:
|
|
description: Used to define the target pattern of a ReplaceAll operation.
|
|
type: string
|
|
required:
|
|
- source
|
|
- target
|
|
type: object
|
|
transform:
|
|
description: |-
|
|
Used to apply string transformation on the secrets.
|
|
The resulting key will be the output of the template applied by the operation.
|
|
properties:
|
|
template:
|
|
description: |-
|
|
Used to define the template to apply on the secret name.
|
|
`.value ` will specify the secret name in the template.
|
|
type: string
|
|
required:
|
|
- template
|
|
type: object
|
|
type: object
|
|
type: array
|
|
sourceRef:
|
|
description: |-
|
|
SourceRef points to a store or generator
|
|
which contains secret values ready to use.
|
|
Use this in combination with Extract or Find pull values out of
|
|
a specific SecretStore.
|
|
When sourceRef points to a generator Extract or Find is not supported.
|
|
The generator returns a static map of values
|
|
maxProperties: 1
|
|
minProperties: 1
|
|
properties:
|
|
generatorRef:
|
|
description: GeneratorRef points to a generator custom resource.
|
|
properties:
|
|
apiVersion:
|
|
default: generators.external-secrets.io/v1alpha1
|
|
description: Specify the apiVersion of the generator resource
|
|
type: string
|
|
kind:
|
|
description: Specify the Kind of the generator resource
|
|
enum:
|
|
- ACRAccessToken
|
|
- ClusterGenerator
|
|
- CloudsmithAccessToken
|
|
- ECRAuthorizationToken
|
|
- Fake
|
|
- GCRAccessToken
|
|
- GithubAccessToken
|
|
- QuayAccessToken
|
|
- Password
|
|
- SSHKey
|
|
- STSSessionToken
|
|
- UUID
|
|
- VaultDynamicSecret
|
|
- Webhook
|
|
- Grafana
|
|
- MFA
|
|
type: string
|
|
name:
|
|
description: Specify the name of the generator resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
storeRef:
|
|
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
|
|
properties:
|
|
kind:
|
|
description: |-
|
|
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
|
|
Defaults to `SecretStore`
|
|
enum:
|
|
- SecretStore
|
|
- ClusterSecretStore
|
|
type: string
|
|
name:
|
|
description: Name of the SecretStore resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: array
|
|
refreshInterval:
|
|
default: 1h
|
|
description: |-
|
|
RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
|
|
specified as Golang Duration strings.
|
|
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
|
|
Example values: "1h", "2h30m", "10s"
|
|
May be set to zero to fetch and create it once. Defaults to 1h.
|
|
type: string
|
|
refreshPolicy:
|
|
description: |-
|
|
RefreshPolicy determines how the ExternalSecret should be refreshed:
|
|
- CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
|
|
- Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
|
|
No periodic updates occur if refreshInterval is 0.
|
|
- OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
|
|
enum:
|
|
- CreatedOnce
|
|
- Periodic
|
|
- OnChange
|
|
type: string
|
|
secretStoreRef:
|
|
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
|
|
properties:
|
|
kind:
|
|
description: |-
|
|
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
|
|
Defaults to `SecretStore`
|
|
enum:
|
|
- SecretStore
|
|
- ClusterSecretStore
|
|
type: string
|
|
name:
|
|
description: Name of the SecretStore resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
type: object
|
|
target:
|
|
default:
|
|
creationPolicy: Owner
|
|
deletionPolicy: Retain
|
|
description: |-
|
|
ExternalSecretTarget defines the Kubernetes Secret to be created,
|
|
there can be only one target per ExternalSecret.
|
|
properties:
|
|
creationPolicy:
|
|
default: Owner
|
|
description: |-
|
|
CreationPolicy defines rules on how to create the resulting Secret.
|
|
Defaults to "Owner"
|
|
enum:
|
|
- Owner
|
|
- Orphan
|
|
- Merge
|
|
- None
|
|
type: string
|
|
deletionPolicy:
|
|
default: Retain
|
|
description: |-
|
|
DeletionPolicy defines rules on how to delete the resulting Secret.
|
|
Defaults to "Retain"
|
|
enum:
|
|
- Delete
|
|
- Merge
|
|
- Retain
|
|
type: string
|
|
immutable:
|
|
description: Immutable defines if the final secret will be immutable
|
|
type: boolean
|
|
manifest:
|
|
description: |-
|
|
Manifest defines a custom Kubernetes resource to create instead of a Secret.
|
|
When specified, ExternalSecret will create the resource type defined here
|
|
(e.g., ConfigMap, Custom Resource) instead of a Secret.
|
|
Warning: Using Generic target. Make sure access policies and encryption are properly configured.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
|
|
minLength: 1
|
|
type: string
|
|
kind:
|
|
description: Kind of the target resource (e.g., "ConfigMap", "Application")
|
|
minLength: 1
|
|
type: string
|
|
required:
|
|
- apiVersion
|
|
- kind
|
|
type: object
|
|
name:
|
|
description: |-
|
|
The name of the Secret resource to be managed.
|
|
Defaults to the .metadata.name of the ExternalSecret resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
template:
|
|
description: Template defines a blueprint for the created Secret resource.
|
|
properties:
|
|
data:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
engineVersion:
|
|
default: v2
|
|
description: |-
|
|
EngineVersion specifies the template engine version
|
|
that should be used to compile/execute the
|
|
template specified in .data and .templateFrom[].
|
|
enum:
|
|
- v2
|
|
type: string
|
|
mergePolicy:
|
|
default: Replace
|
|
description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
|
|
enum:
|
|
- Replace
|
|
- Merge
|
|
type: string
|
|
metadata:
|
|
description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
finalizers:
|
|
items:
|
|
type: string
|
|
type: array
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
templateFrom:
|
|
items:
|
|
description: |-
|
|
TemplateFrom specifies a source for templates.
|
|
Each item in the list can either reference a ConfigMap or a Secret resource.
|
|
properties:
|
|
configMap:
|
|
description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
|
|
properties:
|
|
items:
|
|
description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
|
|
items:
|
|
description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
|
|
properties:
|
|
key:
|
|
description: A key in the ConfigMap/Secret
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[-._a-zA-Z0-9]+$
|
|
type: string
|
|
templateAs:
|
|
default: Values
|
|
description: TemplateScope specifies how the template keys should be interpreted.
|
|
enum:
|
|
- Values
|
|
- KeysAndValues
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
type: array
|
|
name:
|
|
description: The name of the ConfigMap/Secret resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
required:
|
|
- items
|
|
- name
|
|
type: object
|
|
literal:
|
|
type: string
|
|
secret:
|
|
description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
|
|
properties:
|
|
items:
|
|
description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
|
|
items:
|
|
description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
|
|
properties:
|
|
key:
|
|
description: A key in the ConfigMap/Secret
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[-._a-zA-Z0-9]+$
|
|
type: string
|
|
templateAs:
|
|
default: Values
|
|
description: TemplateScope specifies how the template keys should be interpreted.
|
|
enum:
|
|
- Values
|
|
- KeysAndValues
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
type: array
|
|
name:
|
|
description: The name of the ConfigMap/Secret resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
required:
|
|
- items
|
|
- name
|
|
type: object
|
|
target:
|
|
default: Data
|
|
description: |-
|
|
Target specifies where to place the template result.
|
|
For Secret resources, common values are: "Data", "Annotations", "Labels".
|
|
For custom resources (when spec.target.manifest is set), this supports
|
|
nested paths like "spec.database.config" or "data".
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
namespaceSelector:
|
|
description: |-
|
|
The labels to select by to find the Namespaces to create the ExternalSecrets in.
|
|
Deprecated: Use NamespaceSelectors instead.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaceSelectors:
|
|
description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
|
|
items:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
namespaces:
|
|
description: |-
|
|
Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
|
|
Deprecated: Use NamespaceSelectors instead.
|
|
items:
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
type: string
|
|
type: array
|
|
refreshTime:
|
|
description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
|
|
type: string
|
|
required:
|
|
- externalSecretSpec
|
|
type: object
|
|
status:
|
|
description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
|
|
properties:
|
|
conditions:
|
|
items:
|
|
description: ClusterExternalSecretStatusCondition defines the observed state of a ClusterExternalSecret resource.
|
|
properties:
|
|
message:
|
|
type: string
|
|
status:
|
|
type: string
|
|
type:
|
|
description: ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions.
|
|
type: string
|
|
required:
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
externalSecretName:
|
|
description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
|
|
type: string
|
|
failedNamespaces:
|
|
description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
|
|
items:
|
|
description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
|
|
properties:
|
|
namespace:
|
|
description: Namespace is the namespace that failed when trying to apply an ExternalSecret
|
|
type: string
|
|
reason:
|
|
description: Reason is why the ExternalSecret failed to apply to the namespace
|
|
type: string
|
|
required:
|
|
- namespace
|
|
type: object
|
|
type: array
|
|
provisionedNamespaces:
|
|
description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.externalSecretSpec.secretStoreRef.name
|
|
name: Store
|
|
type: string
|
|
- jsonPath: .spec.refreshTime
|
|
name: Refresh Interval
|
|
type: string
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|
name: Ready
|
|
type: string
|
|
deprecated: true
|
|
name: v1beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterExternalSecret is the schema for the clusterexternalsecrets API.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
|
|
properties:
|
|
externalSecretMetadata:
|
|
description: The metadata of the external secrets to be created
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
externalSecretName:
|
|
description: |-
|
|
The name of the external secrets to be created.
|
|
Defaults to the name of the ClusterExternalSecret
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
externalSecretSpec:
|
|
description: The spec for the ExternalSecrets to be created
|
|
properties:
|
|
data:
|
|
description: Data defines the connection between the Kubernetes Secret keys and the Provider data
|
|
items:
|
|
description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
|
|
properties:
|
|
remoteRef:
|
|
description: |-
|
|
RemoteRef points to the remote secret and defines
|
|
which secret (version/property/..) to fetch.
|
|
properties:
|
|
conversionStrategy:
|
|
default: Default
|
|
description: Used to define a conversion Strategy
|
|
enum:
|
|
- Default
|
|
- Unicode
|
|
type: string
|
|
decodingStrategy:
|
|
default: None
|
|
description: Used to define a decoding Strategy
|
|
enum:
|
|
- Auto
|
|
- Base64
|
|
- Base64URL
|
|
- None
|
|
type: string
|
|
key:
|
|
description: Key is the key used in the Provider, mandatory
|
|
type: string
|
|
metadataPolicy:
|
|
default: None
|
|
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
|
|
enum:
|
|
- None
|
|
- Fetch
|
|
type: string
|
|
property:
|
|
description: Used to select a specific property of the Provider value (if a map), if supported
|
|
type: string
|
|
version:
|
|
description: Used to select a specific version of the Provider value, if supported
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
secretKey:
|
|
description: The key in the Kubernetes Secret to store the value.
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[-._a-zA-Z0-9]+$
|
|
type: string
|
|
sourceRef:
|
|
description: |-
|
|
SourceRef allows you to override the source
|
|
from which the value will be pulled.
|
|
maxProperties: 1
|
|
minProperties: 1
|
|
properties:
|
|
generatorRef:
|
|
description: |-
|
|
GeneratorRef points to a generator custom resource.
|
|
|
|
Deprecated: The generatorRef is not implemented in .data[].
|
|
this will be removed with v1.
|
|
properties:
|
|
apiVersion:
|
|
default: generators.external-secrets.io/v1alpha1
|
|
description: Specify the apiVersion of the generator resource
|
|
type: string
|
|
kind:
|
|
description: Specify the Kind of the generator resource
|
|
enum:
|
|
- ACRAccessToken
|
|
- ClusterGenerator
|
|
- ECRAuthorizationToken
|
|
- Fake
|
|
- GCRAccessToken
|
|
- GithubAccessToken
|
|
- QuayAccessToken
|
|
- Password
|
|
- SSHKey
|
|
- STSSessionToken
|
|
- UUID
|
|
- VaultDynamicSecret
|
|
- Webhook
|
|
- Grafana
|
|
type: string
|
|
name:
|
|
description: Specify the name of the generator resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
storeRef:
|
|
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
|
|
properties:
|
|
kind:
|
|
description: |-
|
|
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
|
|
Defaults to `SecretStore`
|
|
enum:
|
|
- SecretStore
|
|
- ClusterSecretStore
|
|
type: string
|
|
name:
|
|
description: Name of the SecretStore resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
type: object
|
|
type: object
|
|
required:
|
|
- remoteRef
|
|
- secretKey
|
|
type: object
|
|
type: array
|
|
dataFrom:
|
|
description: |-
|
|
DataFrom is used to fetch all properties from a specific Provider data
|
|
If multiple entries are specified, the Secret keys are merged in the specified order
|
|
items:
|
|
description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
|
|
properties:
|
|
extract:
|
|
description: |-
|
|
Used to extract multiple key/value pairs from one secret
|
|
Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
|
|
properties:
|
|
conversionStrategy:
|
|
default: Default
|
|
description: Used to define a conversion Strategy
|
|
enum:
|
|
- Default
|
|
- Unicode
|
|
type: string
|
|
decodingStrategy:
|
|
default: None
|
|
description: Used to define a decoding Strategy
|
|
enum:
|
|
- Auto
|
|
- Base64
|
|
- Base64URL
|
|
- None
|
|
type: string
|
|
key:
|
|
description: Key is the key used in the Provider, mandatory
|
|
type: string
|
|
metadataPolicy:
|
|
default: None
|
|
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
|
|
enum:
|
|
- None
|
|
- Fetch
|
|
type: string
|
|
property:
|
|
description: Used to select a specific property of the Provider value (if a map), if supported
|
|
type: string
|
|
version:
|
|
description: Used to select a specific version of the Provider value, if supported
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
find:
|
|
description: |-
|
|
Used to find secrets based on tags or regular expressions
|
|
Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
|
|
properties:
|
|
conversionStrategy:
|
|
default: Default
|
|
description: Used to define a conversion Strategy
|
|
enum:
|
|
- Default
|
|
- Unicode
|
|
type: string
|
|
decodingStrategy:
|
|
default: None
|
|
description: Used to define a decoding Strategy
|
|
enum:
|
|
- Auto
|
|
- Base64
|
|
- Base64URL
|
|
- None
|
|
type: string
|
|
name:
|
|
description: Finds secrets based on the name.
|
|
properties:
|
|
regexp:
|
|
description: Finds secrets base
|
|
type: string
|
|
type: object
|
|
path:
|
|
description: A root path to start the find operations.
|
|
type: string
|
|
tags:
|
|
additionalProperties:
|
|
type: string
|
|
description: Find secrets based on tags.
|
|
type: object
|
|
type: object
|
|
rewrite:
|
|
description: |-
|
|
Used to rewrite secret Keys after getting them from the secret Provider
|
|
Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
|
|
items:
|
|
description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
|
|
maxProperties: 1
|
|
minProperties: 1
|
|
properties:
|
|
regexp:
|
|
description: |-
|
|
Used to rewrite with regular expressions.
|
|
The resulting key will be the output of a regexp.ReplaceAll operation.
|
|
properties:
|
|
source:
|
|
description: Used to define the regular expression of a re.Compiler.
|
|
type: string
|
|
target:
|
|
description: Used to define the target pattern of a ReplaceAll operation.
|
|
type: string
|
|
required:
|
|
- source
|
|
- target
|
|
type: object
|
|
transform:
|
|
description: |-
|
|
Used to apply string transformation on the secrets.
|
|
The resulting key will be the output of the template applied by the operation.
|
|
properties:
|
|
template:
|
|
description: |-
|
|
Used to define the template to apply on the secret name.
|
|
`.value ` will specify the secret name in the template.
|
|
type: string
|
|
required:
|
|
- template
|
|
type: object
|
|
type: object
|
|
type: array
|
|
sourceRef:
|
|
description: |-
|
|
SourceRef points to a store or generator
|
|
which contains secret values ready to use.
|
|
Use this in combination with Extract or Find pull values out of
|
|
a specific SecretStore.
|
|
When sourceRef points to a generator Extract or Find is not supported.
|
|
The generator returns a static map of values
|
|
maxProperties: 1
|
|
minProperties: 1
|
|
properties:
|
|
generatorRef:
|
|
description: GeneratorRef points to a generator custom resource.
|
|
properties:
|
|
apiVersion:
|
|
default: generators.external-secrets.io/v1alpha1
|
|
description: Specify the apiVersion of the generator resource
|
|
type: string
|
|
kind:
|
|
description: Specify the Kind of the generator resource
|
|
enum:
|
|
- ACRAccessToken
|
|
- ClusterGenerator
|
|
- ECRAuthorizationToken
|
|
- Fake
|
|
- GCRAccessToken
|
|
- GithubAccessToken
|
|
- QuayAccessToken
|
|
- Password
|
|
- SSHKey
|
|
- STSSessionToken
|
|
- UUID
|
|
- VaultDynamicSecret
|
|
- Webhook
|
|
- Grafana
|
|
type: string
|
|
name:
|
|
description: Specify the name of the generator resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
storeRef:
|
|
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
|
|
properties:
|
|
kind:
|
|
description: |-
|
|
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
|
|
Defaults to `SecretStore`
|
|
enum:
|
|
- SecretStore
|
|
- ClusterSecretStore
|
|
type: string
|
|
name:
|
|
description: Name of the SecretStore resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: array
|
|
refreshInterval:
|
|
default: 1h
|
|
description: |-
|
|
RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
|
|
specified as Golang Duration strings.
|
|
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
|
|
Example values: "1h", "2h30m", "10s"
|
|
May be set to zero to fetch and create it once. Defaults to 1h.
|
|
type: string
|
|
refreshPolicy:
|
|
description: |-
|
|
RefreshPolicy determines how the ExternalSecret should be refreshed:
|
|
- CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
|
|
- Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
|
|
No periodic updates occur if refreshInterval is 0.
|
|
- OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
|
|
enum:
|
|
- CreatedOnce
|
|
- Periodic
|
|
- OnChange
|
|
type: string
|
|
secretStoreRef:
|
|
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
|
|
properties:
|
|
kind:
|
|
description: |-
|
|
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
|
|
Defaults to `SecretStore`
|
|
enum:
|
|
- SecretStore
|
|
- ClusterSecretStore
|
|
type: string
|
|
name:
|
|
description: Name of the SecretStore resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
type: object
|
|
target:
|
|
default:
|
|
creationPolicy: Owner
|
|
deletionPolicy: Retain
|
|
description: |-
|
|
ExternalSecretTarget defines the Kubernetes Secret to be created
|
|
There can be only one target per ExternalSecret.
|
|
properties:
|
|
creationPolicy:
|
|
default: Owner
|
|
description: |-
|
|
CreationPolicy defines rules on how to create the resulting Secret.
|
|
Defaults to "Owner"
|
|
enum:
|
|
- Owner
|
|
- Orphan
|
|
- Merge
|
|
- None
|
|
type: string
|
|
deletionPolicy:
|
|
default: Retain
|
|
description: |-
|
|
DeletionPolicy defines rules on how to delete the resulting Secret.
|
|
Defaults to "Retain"
|
|
enum:
|
|
- Delete
|
|
- Merge
|
|
- Retain
|
|
type: string
|
|
immutable:
|
|
description: Immutable defines if the final secret will be immutable
|
|
type: boolean
|
|
name:
|
|
description: |-
|
|
The name of the Secret resource to be managed.
|
|
Defaults to the .metadata.name of the ExternalSecret resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
template:
|
|
description: Template defines a blueprint for the created Secret resource.
|
|
properties:
|
|
data:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
engineVersion:
|
|
default: v2
|
|
description: |-
|
|
EngineVersion specifies the template engine version
|
|
that should be used to compile/execute the
|
|
template specified in .data and .templateFrom[].
|
|
enum:
|
|
- v2
|
|
type: string
|
|
mergePolicy:
|
|
default: Replace
|
|
description: TemplateMergePolicy defines how template values should be merged when generating a secret.
|
|
enum:
|
|
- Replace
|
|
- Merge
|
|
type: string
|
|
metadata:
|
|
description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
templateFrom:
|
|
items:
|
|
description: TemplateFrom defines a source for template data.
|
|
properties:
|
|
configMap:
|
|
description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
|
|
properties:
|
|
items:
|
|
description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
|
|
items:
|
|
description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
|
|
properties:
|
|
key:
|
|
description: A key in the ConfigMap/Secret
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[-._a-zA-Z0-9]+$
|
|
type: string
|
|
templateAs:
|
|
default: Values
|
|
description: TemplateScope defines the scope of the template when processing template data.
|
|
enum:
|
|
- Values
|
|
- KeysAndValues
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
type: array
|
|
name:
|
|
description: The name of the ConfigMap/Secret resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
required:
|
|
- items
|
|
- name
|
|
type: object
|
|
literal:
|
|
type: string
|
|
secret:
|
|
description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
|
|
properties:
|
|
items:
|
|
description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
|
|
items:
|
|
description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
|
|
properties:
|
|
key:
|
|
description: A key in the ConfigMap/Secret
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[-._a-zA-Z0-9]+$
|
|
type: string
|
|
templateAs:
|
|
default: Values
|
|
description: TemplateScope defines the scope of the template when processing template data.
|
|
enum:
|
|
- Values
|
|
- KeysAndValues
|
|
type: string
|
|
required:
|
|
- key
|
|
type: object
|
|
type: array
|
|
name:
|
|
description: The name of the ConfigMap/Secret resource
|
|
maxLength: 253
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
type: string
|
|
required:
|
|
- items
|
|
- name
|
|
type: object
|
|
target:
|
|
default: Data
|
|
description: TemplateTarget defines the target field where the template result will be stored.
|
|
enum:
|
|
- Data
|
|
- Annotations
|
|
- Labels
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
namespaceSelector:
|
|
description: The labels to select by to find the Namespaces to create the ExternalSecrets in
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaceSelectors:
|
|
description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
|
|
items:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
namespaces:
|
|
description: |-
|
|
Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
|
|
Deprecated: Use NamespaceSelectors instead.
|
|
items:
|
|
maxLength: 63
|
|
minLength: 1
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
type: string
|
|
type: array
|
|
refreshTime:
|
|
description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
|
|
type: string
|
|
required:
|
|
- externalSecretSpec
|
|
type: object
|
|
status:
|
|
description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
|
|
properties:
|
|
conditions:
|
|
items:
|
|
description: ClusterExternalSecretStatusCondition indicates the status of the ClusterExternalSecret.
|
|
properties:
|
|
message:
|
|
type: string
|
|
status:
|
|
type: string
|
|
type:
|
|
description: ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret.
|
|
type: string
|
|
required:
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
externalSecretName:
|
|
description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
|
|
type: string
|
|
failedNamespaces:
|
|
description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
|
|
items:
|
|
description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
|
|
properties:
|
|
namespace:
|
|
description: Namespace is the namespace that failed when trying to apply an ExternalSecret
|
|
type: string
|
|
reason:
|
|
description: Reason is why the ExternalSecret failed to apply to the namespace
|
|
type: string
|
|
required:
|
|
- namespace
|
|
type: object
|
|
type: array
|
|
provisionedNamespaces:
|
|
description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
served: false
|
|
storage: false
|
|
subresources:
|
|
status: {}
|