Skip to search

ClusterGenerator

generators.external-secrets.io / v1alpha1

apiVersion: generators.external-secrets.io/v1alpha1 kind: ClusterGenerator metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
ClusterGeneratorSpec defines the desired state of a ClusterGenerator.
generator object required
Generator the spec for this generator, must match the kind.
acrAccessTokenSpec object
ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
auth object required
ACRAuth defines the authentication methods for Azure Container Registry.
managedIdentity object
ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
identityId string
If multiple Managed Identity is assigned to the pod, you can select the one to be used
servicePrincipal object
ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
secretRef object required
AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication. It uses static credentials stored in a Kind=Secret.
clientId object
The Azure clientId of the service principle used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
clientSecret object
The Azure ClientSecret of the service principle used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
workloadIdentity object
WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
serviceAccountRef object
ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
environmentType string
EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
enum: PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
registry string required
the domain name of the ACR registry e.g. foobarexample.azurecr.io
scope string
Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. examples: repository:my-repository:pull,push repository:my-repository:pull see docs for details: https://docs.docker.com/registry/spec/auth/scope/
tenantId string
TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
cloudsmithAccessTokenSpec object
CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
apiUrl string
APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
orgSlug string required
OrgSlug is the organization slug in Cloudsmith
serviceAccountRef object required
Name of the service account you are federating with
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceSlug string required
ServiceSlug is the service slug in Cloudsmith for OIDC authentication
ecrAuthorizationTokenSpec object
ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
auth object
Auth defines how to authenticate with AWS
jwt object
AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
serviceAccountRef object
ServiceAccountSelector is a reference to a ServiceAccount resource.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretRef object
AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
accessKeyIDSecretRef object
The AccessKeyID is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
sessionTokenSecretRef object
The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
region string required
Region specifies the region to operate in.
role string
You can assume a role before making calls to the desired AWS service.
scope string
Scope specifies the ECR service scope. Valid options are private and public.
fakeSpec object
FakeSpec contains the static data.
controller string
Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property
data object
Data defines the static data returned by this generator.
gcrAccessTokenSpec object
GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
auth object required
Auth defines the means for authenticating with GCP
secretRef object
GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
workloadIdentity object
GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
clusterLocation string required
clusterName string required
clusterProjectID string
serviceAccountRef object required
ServiceAccountSelector is a reference to a ServiceAccount resource.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
workloadIdentityFederation object
GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
audience string
audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool. If specified, Audience found in the external account credential config will be overridden with the configured value. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
awsSecurityCredentials object
awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token, when using the AWS metadata server is not an option.
awsCredentialsSecretRef object required
awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials. Secret should be created with below names for keys - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
name string required
name of the secret.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
namespace in which the secret exists. If empty, secret will looked up in local namespace.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
region string required
region is for configuring the AWS region to be used.
pattern: ^[a-z0-9-]+$
minLength: 1
maxLength: 50
credConfig object
credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead serviceAccountRef must be used by providing operators service account details.
key string required
key name holding the external account credential config.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
name of the configmap.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
externalTokenEndpoint string
externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the credential_source.url in the provided credConfig. This field is merely to double-check the external token source URL is having the expected value.
gcpServiceAccountEmail string
GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate after Workload Identity Federation. Use this to grant access through the service account's IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides service_account_impersonation_url in the external account JSON from credConfig; when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation on that ServiceAccount.
pattern: ^.*@.*\.iam\.gserviceaccount\.com$
minLength: 1
serviceAccountRef object
serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, when Kubernetes is configured as provider in workload identity pool.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
projectID string required
ProjectID defines which project to use to authenticate with
githubAccessTokenSpec object
GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
appID string required
auth object required
Auth configures how ESO authenticates with a Github instance.
privateKey object required
GithubSecretRef references a secret containing GitHub credentials.
secretRef object required
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
installID string required
permissions object
Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
repositories []string
List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App is installed to.
url string
URL configures the GitHub instance URL. Defaults to https://github.com/.
grafanaSpec object
GrafanaSpec controls the behavior of the grafana generator.
auth object required
Auth is the authentication configuration to authenticate against the Grafana instance.
basic object
Basic auth credentials used to authenticate against the Grafana instance. Note: you need a token which has elevated permissions to create service accounts. See here for the documentation on basic roles offered by Grafana: https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
password object required
A basic auth password used to authenticate against the Grafana instance.
key string
The key where the token is found.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
username string required
A basic auth username used to authenticate against the Grafana instance.
token object
A service account token used to authenticate against the Grafana instance. Note: you need a token which has elevated permissions to create service accounts. See here for the documentation on basic roles offered by Grafana: https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
key string
The key where the token is found.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
serviceAccount object required
ServiceAccount is the configuration for the service account that is supposed to be generated by the generator.
name string required
Name is the name of the service account that will be created by ESO.
role string required
Role is the role of the service account. See here for the documentation on basic roles offered by Grafana: https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
url string required
URL is the URL of the Grafana instance.
mfaSpec object
MFASpec controls the behavior of the mfa generator.
algorithm string
Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
length integer
Length defines the token length. Defaults to 6 characters.
secret object required
Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
timePeriod integer
TimePeriod defines how long the token can be active. Defaults to 30 seconds.
when string
When defines a time parameter that can be used to pin the origin time of the generated token.
format: date-time
passwordSpec object
PasswordSpec controls the behavior of the password generator.
allowRepeat boolean required
set AllowRepeat to true to allow repeating characters.
digits integer
Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password
encoding string
Encoding specifies the encoding of the generated password. Valid values are: - "raw" (default): no encoding - "base64": standard base64 encoding - "base64url": base64url encoding - "base32": base32 encoding - "hex": hexadecimal encoding
enum: base64, base64url, base32, hex, raw
length integer required
Length of the password to be generated. Defaults to 24
noUpper boolean required
Set NoUpper to disable uppercase characters
secretKeys []string
SecretKeys defines the keys that will be populated with generated passwords. Defaults to "password" when not set.
minItems: 1
symbolCharacters string
SymbolCharacters specifies the special characters that should be used in the generated password.
symbols integer
Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password
quayAccessTokenSpec object
QuayAccessTokenSpec defines the desired state to generate a Quay access token.
robotAccount string required
Name of the robot account you are federating with
serviceAccountRef object required
Name of the service account you are federating with
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
url string
URL configures the Quay instance URL. Defaults to quay.io.
sshKeySpec object
SSHKeySpec controls the behavior of the ssh key generator.
comment string
Comment specifies an optional comment for the SSH key
keySize integer
KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256). For RSA keys: 2048, 3072, 4096 For ECDSA keys: 256, 384, 521 Ignored for ed25519 keys
minimum: 256
maximum: 8192
keyType string
KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
enum: rsa, ecdsa, ed25519
stsSessionTokenSpec object
STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
auth object
Auth defines how to authenticate with AWS
jwt object
AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
serviceAccountRef object
ServiceAccountSelector is a reference to a ServiceAccount resource.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretRef object
AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
accessKeyIDSecretRef object
The AccessKeyID is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
sessionTokenSecretRef object
The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
region string required
Region specifies the region to operate in.
requestParameters object
RequestParameters contains parameters that can be passed to the STS service.
serialNumber string
SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making the GetSessionToken call. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user)
sessionDuration integer
format: int32
tokenCode string
TokenCode is the value provided by the MFA device, if MFA is required.
role string
You can assume a role before making calls to the desired AWS service.
uuidSpec object
UUIDSpec controls the behavior of the uuid generator.
vaultDynamicSecretSpec object
VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
allowEmptyResponse boolean
Do not fail if no secrets are found. Useful for requests where no data is expected.
controller string
Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property
getParameters object
GetParameters are query-string parameters passed to Vault on GET calls. Each key may map to multiple values, matching HTTP query-string semantics. Ignored for non-GET methods; use Parameters for write bodies.
method string
Vault API method to use (GET/POST/other)
parameters object
Parameters to pass to Vault write (for non-GET methods)
path string required
Vault path to obtain the dynamic secret from
provider object required
Vault provider common spec
auth object
Auth configures how secret-manager authenticates with the Vault server.
appRole object
AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
path string required
Path where the App Role authentication backend is mounted in Vault, e.g: "approle"
roleId string
RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
roleRef object
Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretRef object required
Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
cert object
Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
clientCert object
ClientCert is a certificate to authenticate using the Cert Vault authentication method
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
path string
Path where the Certificate authentication backend is mounted in Vault, e.g: "cert"
secretRef object
SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
vaultRole string
VaultRole specifies the Vault role to use for TLS certificate authentication.
gcp object
Gcp authenticates with Vault using Google Cloud Platform authentication method GCP authentication method
location string
Location optionally defines a location/region for the secret
path string
Path where the GCP auth method is enabled in Vault, e.g: "gcp"
projectID string
Project ID of the Google Cloud Platform project
role string required
Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
secretRef object
Specify credentials in a Secret object
secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceAccountRef object
ServiceAccountRef to a service account for impersonation
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
workloadIdentity object
Specify a service account with Workload Identity
clusterLocation string
ClusterLocation is the location of the cluster If not specified, it fetches information from the metadata server
clusterName string
ClusterName is the name of the cluster If not specified, it fetches information from the metadata server
clusterProjectID string
ClusterProjectID is the project ID of the cluster If not specified, it fetches information from the metadata server
serviceAccountRef object required
ServiceAccountSelector is a reference to a ServiceAccount resource.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
iam object
Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
externalID string
AWS External ID set on assumed IAM roles
jwt object
Specify a service account with IRSA enabled
serviceAccountRef object
ServiceAccountSelector is a reference to a ServiceAccount resource.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
path string
Path where the AWS auth method is enabled in Vault, e.g: "aws"
region string
AWS region
role string
This is the AWS role to be assumed before talking to vault
secretRef object
Specify credentials in a Secret object
accessKeyIDSecretRef object
The AccessKeyID is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
sessionTokenSecretRef object
The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
vaultAwsIamServerID string
X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws
vaultRole string required
Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
jwt object
Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
kubernetesServiceAccountToken object
Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
audiences []string
Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead
expirationSeconds integer
Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.
format: int64
serviceAccountRef object required
Service account field containing the name of a kubernetes ServiceAccount.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
path string required
Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"
role string
Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
secretRef object
Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
kubernetes object
Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
mountPath string required
Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"
role string required
A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
secretRef object
Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceAccountRef object
Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
ldap object
Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
path string required
Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"
secretRef object
SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
username string required
Username is an LDAP username used to authenticate using the LDAP Vault authentication method
namespace string
Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces This will default to Vault.Namespace field if set, or empty otherwise
tokenSecretRef object
TokenSecretRef authenticates with Vault by presenting a token.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
userPass object
UserPass authenticates with Vault by passing username/password pair
path string required
Path where the UserPassword authentication backend is mounted in Vault, e.g: "userpass"
secretRef object
SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
username string required
Username is a username used to authenticate using the UserPass Vault authentication method
caBundle string
PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
caProvider object
The provider for the CA bundle to use to validate Vault server certificate.
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
checkAndSet object
CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations. Only applies to Vault KV v2 stores. When enabled, write operations must include the current version of the secret to prevent unintentional overwrites.
required boolean
Required when true, all write operations must include a check-and-set parameter. This helps prevent unintentional overwrites of secrets.
forwardInconsistent boolean
ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
headers object
Headers to be added in Vault request
namespace string
Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
path string
Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.
readYourWrites boolean
ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
server string required
Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
tls object
The configuration used for client side related TLS communication, when the Vault server requires mutual authentication. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. It's worth noting this configuration is different from the "TLS certificates auth method", which is available under the `auth.cert` section.
certSecretRef object
CertSecretRef is a certificate added to the transport layer when communicating with the Vault server. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
keySecretRef object
KeySecretRef to a key in a Secret resource containing client private key added to the transport layer when communicating with the Vault server. If no key for the Secret is specified, external-secret will default to 'tls.key'.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
version string
Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
enum: v1, v2
resultType string
Result type defines which data is returned from the generator. By default, it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. Additionally, accessing the raw response is possibly by using "Raw" result type.
enum: Data, Auth, Raw
retrySettings object
Used to configure http retries if failed
maxRetries integer
format: int32
retryInterval string
webhookSpec object
WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
auth object
Auth specifies a authorization protocol. Only one protocol may be set.
ntlm object
NTLMProtocol configures the store to use NTLM for auth
passwordSecret object required
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
usernameSecret object required
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
body string
Body
caBundle string
PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
caProvider object
The provider for the CA bundle to use to validate webhook server certificate.
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
headers object
Headers
method string
Webhook Method
result object required
Result formatting
jsonPath string
Json path of return value
secrets []object
Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
name string required
Name of this secret in templates
secretRef object required
Secret ref to fill in credentials
key string
The key where the token is found.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
timeout string
Timeout
url string required
Webhook url to call
kind string required
Kind the kind of this generator.
enum: ACRAccessToken, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, ... ACRAccessToken, CloudsmithAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, SSHKey, STSSessionToken, UUID, VaultDynamicSecret, Webhook, Grafana

No matches. Try .spec.generator for an exact path