Skip to search

SecretStore

external-secrets.io / v1alpha1

apiVersion: external-secrets.io/v1alpha1 kind: SecretStore metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
SecretStoreSpec defines the desired state of SecretStore.
controller string
Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property
provider object required
Used to configure the provider. Only one provider may be set
akeyless object
Akeyless configures this store to sync secrets using Akeyless Vault provider
akeylessGWApiURL string required
Akeyless GW API Url from which the secrets to be fetched from.
authSecretRef object required
Auth configures how the operator authenticates with Akeyless.
kubernetesAuth object
Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
accessID string required
the Akeyless Kubernetes auth-method access-id
k8sConfName string required
Kubernetes-auth configuration name in Akeyless-Gateway
secretRef object
Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceAccountRef object
Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretRef object
Reference to a Secret that contains the details to authenticate with Akeyless.
accessID object
The SecretAccessID is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
accessType object
A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
accessTypeParam object
A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
caBundle string
PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
format: byte
caProvider object
The provider for the CA bundle to use to validate Akeyless Gateway certificate.
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
alibaba object
Alibaba configures this store to sync secrets using Alibaba Cloud provider
auth object required
AlibabaAuth contains a secretRef for credentials.
rrsa object
Authenticate against Alibaba using RRSA.
oidcProviderArn string required
oidcTokenFilePath string required
roleArn string required
sessionName string required
secretRef object
AlibabaAuthSecretRef holds secret references for Alibaba credentials.
accessKeyIDSecretRef object required
The AccessKeyID is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
accessKeySecretSecretRef object required
The AccessKeySecret is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
regionID string required
Alibaba Region to be used for the provider
aws object
AWS configures this store to sync secrets using AWS Secret Manager provider
auth object
Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
jwt object
Authenticate against AWS using service account tokens.
serviceAccountRef object
A reference to a ServiceAccount resource.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretRef object
AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
accessKeyIDSecretRef object
The AccessKeyID is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
region string required
AWS Region to be used for the provider
role string
Role is a Role ARN which the SecretManager provider will assume
service string required
Service defines which service should be used to fetch the secrets
enum: SecretsManager, ParameterStore
azurekv object
AzureKV configures this store to sync secrets using Azure Key Vault provider
authSecretRef object
Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
clientId object
The Azure clientId of the service principle used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
clientSecret object
The Azure ClientSecret of the service principle used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
authType string
Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
enum: ServicePrincipal, ManagedIdentity, WorkloadIdentity
identityId string
If multiple Managed Identity is assigned to the pod, you can select the one to be used
serviceAccountRef object
ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
tenantId string
TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
vaultUrl string required
Vault Url from which the secrets to be fetched from.
fake object
Fake configures a store with static key/value pairs
data []object required
key string required
value string
valueMap object
version string
gcpsm object
GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
auth object
Auth defines the information necessary to authenticate against GCP
secretRef object
secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
workloadIdentity object
clusterLocation string required
clusterName string required
clusterProjectID string
serviceAccountRef object required
A reference to a ServiceAccount resource.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
projectID string
ProjectID project where secret is located
gitlab object
GitLab configures this store to sync secrets using GitLab Variables provider
auth object required
Auth configures how secret-manager authenticates with a GitLab instance.
SecretRef object required
accessToken object
AccessToken is used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
projectID string
ProjectID specifies a project where secrets are located.
url string
URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
ibm object
IBM configures this store to sync secrets using IBM Cloud provider
auth object required
Auth configures how secret-manager authenticates with the IBM secrets manager.
secretRef object required
secretApiKeySecretRef object
The SecretAccessKey is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceUrl string
ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
kubernetes object
Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
auth object required
Auth configures how secret-manager authenticates with a Kubernetes instance.
cert object
has both clientCert and clientKey as secretKeySelector
clientCert object
A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
clientKey object
A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceAccount object
points to a service account that should be used for authentication
serviceAccount object
A reference to a ServiceAccount resource.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
token object
use static token to authenticate with
bearerToken object
A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
remoteNamespace string
Remote namespace to fetch the secrets from
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
server object
configures the Kubernetes server Address.
caBundle string
CABundle is a base64-encoded CA certificate
format: byte
caProvider object
see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
url string
configures the Kubernetes server Address.
oracle object
Oracle configures this store to sync secrets using Oracle Vault provider
auth object
Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal.
secretRef object required
SecretRef to pass through sensitive information.
fingerprint object required
Fingerprint is the fingerprint of the API private key.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
privatekey object required
PrivateKey is the user's API Signing Key in PEM format, used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
tenancy string required
Tenancy is the tenancy OCID where user is located.
user string required
User is an access OCID specific to the account.
compartment string
Compartment is the vault compartment OCID. Required for PushSecret
encryptionKey string
EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
principalType string
The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
enum: , UserPrincipal, InstancePrincipal, Workload
region string required
Region is the region where vault is located.
serviceAccountRef object
ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
vault string required
Vault is the vault's OCID of the specific vault where secret is located.
passworddepot object
Configures a store to sync secrets with a Password Depot instance.
auth object required
Auth configures how secret-manager authenticates with a Password Depot instance.
secretRef object required
credentials object
Username / Password is used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
database string required
Database to use as source
host string required
URL configures the Password Depot instance URL.
vault object
Vault configures this store to sync secrets using Hashi provider
auth object required
Auth configures how secret-manager authenticates with the Vault server.
appRole object
AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
path string required
Path where the App Role authentication backend is mounted in Vault, e.g: "approle"
roleId string required
RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
secretRef object required
Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
cert object
Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
clientCert object
ClientCert is a certificate to authenticate using the Cert Vault authentication method
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretRef object
SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
jwt object
Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
kubernetesServiceAccountToken object
Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
audiences []string
Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
expirationSeconds integer
Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
format: int64
serviceAccountRef object required
Service account field containing the name of a kubernetes ServiceAccount.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
path string required
Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"
role string
Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
secretRef object
Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
kubernetes object
Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
mountPath string required
Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"
role string required
A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
secretRef object
Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceAccountRef object
Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
ldap object
Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
path string required
Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"
secretRef object
SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
username string required
Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
tokenSecretRef object
TokenSecretRef authenticates with Vault by presenting a token.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
caBundle string
PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
caProvider object
The provider for the CA bundle to use to validate Vault server certificate.
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
forwardInconsistent boolean
ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
namespace string
Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
path string
Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.
readYourWrites boolean
ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
server string required
Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
version string
Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
enum: v1, v2
webhook object
Webhook configures this store to sync secrets using a generic templated webhook
body string
Body
caBundle string
PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
caProvider object
The provider for the CA bundle to use to validate webhook server certificate.
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
headers object
Headers
method string
Webhook Method
result object required
Result formatting
jsonPath string
Json path of return value
secrets []object
Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
name string required
Name of this secret in templates
secretRef object required
Secret ref to fill in credentials
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
timeout string
Timeout
url string required
Webhook url to call
yandexlockbox object
YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
apiEndpoint string
Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
auth object required
Auth defines the information necessary to authenticate against Yandex Lockbox
authorizedKeySecretRef object
The authorized key used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
caProvider object
The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
certSecretRef object
A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
retrySettings object
Used to configure http retries if failed
maxRetries integer
format: int32
retryInterval string
status object
SecretStoreStatus defines the observed state of the SecretStore.
conditions []object
lastTransitionTime string
format: date-time
message string
reason string
status string required
type string required

No matches. Try .spec.controller for an exact path