ClusterGenerator
generators.external-secrets.io / v1alpha1
apiVersion: generators.external-secrets.io/v1alpha1
kind: ClusterGenerator
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
generator object required
Generator the spec for this generator, must match the kind.
acrAccessTokenSpec object
ACRAccessTokenSpec defines how to generate the access token
e.g. how to authenticate and which registry to use.
see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
auth object required
managedIdentity object
ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
identityId
string
If multiple Managed Identity is assigned to the pod, you can select the one to be used
servicePrincipal object
ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
secretRef object required
Configuration used to authenticate with Azure using static
credentials stored in a Kind=Secret.
clientId object
The Azure clientId of the service principle used for authentication.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63clientSecret object
The Azure ClientSecret of the service principle used for authentication.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63workloadIdentity object
WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
serviceAccountRef object
ServiceAccountRef specified the service account
that should be used when authenticating with WorkloadIdentity.
audiences
[]string
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
name
string required
The name of the ServiceAccount resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
environmentType
string
EnvironmentType specifies the Azure cloud environment endpoints to use for
connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
enum:
PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
registry
string required
the domain name of the ACR registry
e.g. foobarexample.azurecr.io
scope
string
Define the scope for the access token, e.g. pull/push access for a repository.
if not provided it will return a refresh token that has full scope.
Note: you need to pin it down to the repository level, there is no wildcard available.
examples:
repository:my-repository:pull,push
repository:my-repository:pull
see docs for details: https://docs.docker.com/registry/spec/auth/scope/
tenantId
string
TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
ecrAuthorizationTokenSpec object
auth object
Auth defines how to authenticate with AWS
jwt object
Authenticate against AWS using service account tokens.
serviceAccountRef object
A reference to a ServiceAccount resource.
audiences
[]string
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
name
string required
The name of the ServiceAccount resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63secretRef object
AWSAuthSecretRef holds secret references for AWS credentials
both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
accessKeyIDSecretRef object
The AccessKeyID is used for authentication
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63sessionTokenSecretRef object
The SessionToken used for authentication
This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
region
string required
Region specifies the region to operate in.
role
string
You can assume a role before making calls to the
desired AWS service.
scope
string
Scope specifies the ECR service scope.
Valid options are private and public.
fakeSpec object
FakeSpec contains the static data.
controller
string
Used to select the correct ESO controller (think: ingress.ingressClassName)
The ESO controller is instantiated with a specific controller name and filters VDS based on this property
data
object
Data defines the static data returned
by this generator.
gcrAccessTokenSpec object
auth object required
Auth defines the means for authenticating with GCP
secretRef object
secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63workloadIdentity object
clusterLocation
string required
clusterName
string required
clusterProjectID
string
serviceAccountRef object required
A reference to a ServiceAccount resource.
audiences
[]string
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
name
string required
The name of the ServiceAccount resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
projectID
string required
ProjectID defines which project to use to authenticate with
githubAccessTokenSpec object
appID
string required
auth object required
Auth configures how ESO authenticates with a Github instance.
privateKey object required
secretRef object required
A reference to a specific 'key' within a Secret resource.
In some instances, `key` is a required field.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
installID
string required
permissions
object
Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
repositories
[]string
List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
is installed to.
url
string
URL configures the Github instance URL. Defaults to https://github.com/.
grafanaSpec object
GrafanaSpec controls the behavior of the grafana generator.
auth object required
Auth is the authentication configuration to authenticate
against the Grafana instance.
token object required
A service account token used to authenticate against the Grafana instance.
Note: you need a token which has elevated permissions to create service accounts.
See here for the documentation on basic roles offered by Grafana:
https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
key
string
The key where the token is found.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253serviceAccount object required
ServiceAccount is the configuration for the service account that
is supposed to be generated by the generator.
name
string required
Name is the name of the service account that will be created by ESO.
role
string required
Role is the role of the service account.
See here for the documentation on basic roles offered by Grafana:
https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
url
string required
URL is the URL of the Grafana instance.
passwordSpec object
PasswordSpec controls the behavior of the password generator.
allowRepeat
boolean required
set AllowRepeat to true to allow repeating characters.
digits
integer
Digits specifies the number of digits in the generated
password. If omitted it defaults to 25% of the length of the password
length
integer required
Length of the password to be generated.
Defaults to 24
noUpper
boolean required
Set NoUpper to disable uppercase characters
symbolCharacters
string
SymbolCharacters specifies the special characters that should be used
in the generated password.
symbols
integer
Symbols specifies the number of symbol characters in the generated
password. If omitted it defaults to 25% of the length of the password
quayAccessTokenSpec object
robotAccount
string required
Name of the robot account you are federating with
serviceAccountRef object required
Name of the service account you are federating with
audiences
[]string
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
name
string required
The name of the ServiceAccount resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
url
string
URL configures the Quay instance URL. Defaults to quay.io.
stsSessionTokenSpec object
auth object
Auth defines how to authenticate with AWS
jwt object
Authenticate against AWS using service account tokens.
serviceAccountRef object
A reference to a ServiceAccount resource.
audiences
[]string
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
name
string required
The name of the ServiceAccount resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63secretRef object
AWSAuthSecretRef holds secret references for AWS credentials
both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
accessKeyIDSecretRef object
The AccessKeyID is used for authentication
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63sessionTokenSecretRef object
The SessionToken used for authentication
This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
region
string required
Region specifies the region to operate in.
requestParameters object
RequestParameters contains parameters that can be passed to the STS service.
serialNumber
string
SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
the GetSessionToken call.
Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
(such as arn:aws:iam::123456789012:mfa/user)
sessionDuration
integer
SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for
IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds
(12 hours) as the default.
format:
int64
tokenCode
string
TokenCode is the value provided by the MFA device, if MFA is required.
role
string
You can assume a role before making calls to the
desired AWS service.
uuidSpec
object
UUIDSpec controls the behavior of the uuid generator.
vaultDynamicSecretSpec object
allowEmptyResponse
boolean
Do not fail if no secrets are found. Useful for requests where no data is expected.
controller
string
Used to select the correct ESO controller (think: ingress.ingressClassName)
The ESO controller is instantiated with a specific controller name and filters VDS based on this property
method
string
Vault API method to use (GET/POST/other)
parameters
object
Parameters to pass to Vault write (for non-GET methods)
path
string required
Vault path to obtain the dynamic secret from
provider object required
Vault provider common spec
auth object required
Auth configures how secret-manager authenticates with the Vault server.
appRole object
AppRole authenticates with Vault using the App Role auth mechanism,
with the role and secret stored in a Kubernetes Secret resource.
path
string required
Path where the App Role authentication backend is mounted
in Vault, e.g: "approle"
roleId
string
RoleID configured in the App Role authentication backend when setting
up the authentication backend in Vault.
roleRef object
Reference to a key in a Secret that contains the App Role ID used
to authenticate with Vault.
The `key` field must be specified and denotes which entry within the Secret
resource is used as the app role id.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63secretRef object required
Reference to a key in a Secret that contains the App Role secret used
to authenticate with Vault.
The `key` field must be specified and denotes which entry within the Secret
resource is used as the app role secret.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63cert object
Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
Cert authentication method
clientCert object
ClientCert is a certificate to authenticate using the Cert Vault
authentication method
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63secretRef object
SecretRef to a key in a Secret resource containing client private key to
authenticate with Vault using the Cert authentication method
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63iam object
Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
AWS IAM authentication method
externalID
string
AWS External ID set on assumed IAM roles
jwt object
Specify a service account with IRSA enabled
serviceAccountRef object
A reference to a ServiceAccount resource.
audiences
[]string
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
name
string required
The name of the ServiceAccount resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
path
string
Path where the AWS auth method is enabled in Vault, e.g: "aws"
region
string
AWS region
role
string
This is the AWS role to be assumed before talking to vault
secretRef object
Specify credentials in a Secret object
accessKeyIDSecretRef object
The AccessKeyID is used for authentication
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63sessionTokenSecretRef object
The SessionToken used for authentication
This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
vaultAwsIamServerID
string
X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws
vaultRole
string required
Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
jwt object
Jwt authenticates with Vault by passing role and JWT token using the
JWT/OIDC authentication method
kubernetesServiceAccountToken object
Optional ServiceAccountToken specifies the Kubernetes service account for which to request
a token for with the `TokenRequest` API.
audiences
[]string
Optional audiences field that will be used to request a temporary Kubernetes service
account token for the service account referenced by `serviceAccountRef`.
Defaults to a single audience `vault` it not specified.
Deprecated: use serviceAccountRef.Audiences instead
expirationSeconds
integer
Optional expiration time in seconds that will be used to request a temporary
Kubernetes service account token for the service account referenced by
`serviceAccountRef`.
Deprecated: this will be removed in the future.
Defaults to 10 minutes.
format:
int64serviceAccountRef object required
Service account field containing the name of a kubernetes ServiceAccount.
audiences
[]string
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
name
string required
The name of the ServiceAccount resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
path
string required
Path where the JWT authentication backend is mounted
in Vault, e.g: "jwt"
role
string
Role is a JWT role to authenticate using the JWT/OIDC Vault
authentication method
secretRef object
Optional SecretRef that refers to a key in a Secret resource containing JWT token to
authenticate with Vault using the JWT/OIDC authentication method.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63kubernetes object
Kubernetes authenticates with Vault by passing the ServiceAccount
token stored in the named Secret resource to the Vault server.
mountPath
string required
Path where the Kubernetes authentication backend is mounted in Vault, e.g:
"kubernetes"
role
string required
A required field containing the Vault Role to assume. A Role binds a
Kubernetes ServiceAccount with a set of Vault policies.
secretRef object
Optional secret field containing a Kubernetes ServiceAccount JWT used
for authenticating with Vault. If a name is specified without a key,
`token` is the default. If one is not specified, the one bound to
the controller will be used.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63serviceAccountRef object
Optional service account field containing the name of a kubernetes ServiceAccount.
If the service account is specified, the service account secret token JWT will be used
for authenticating with Vault. If the service account selector is not supplied,
the secretRef will be used instead.
audiences
[]string
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
name
string required
The name of the ServiceAccount resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63ldap object
Ldap authenticates with Vault by passing username/password pair using
the LDAP authentication method
path
string required
Path where the LDAP authentication backend is mounted
in Vault, e.g: "ldap"
secretRef object
SecretRef to a key in a Secret resource containing password for the LDAP
user used to authenticate with Vault using the LDAP authentication
method
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
username
string required
Username is a LDAP user name used to authenticate using the LDAP Vault
authentication method
namespace
string
Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
Namespaces is a set of features within Vault Enterprise that allows
Vault environments to support Secure Multi-tenancy. e.g: "ns1".
More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
This will default to Vault.Namespace field if set, or empty otherwise
tokenSecretRef object
TokenSecretRef authenticates with Vault by presenting a token.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63userPass object
UserPass authenticates with Vault by passing username/password pair
path
string required
Path where the UserPassword authentication backend is mounted
in Vault, e.g: "user"
secretRef object
SecretRef to a key in a Secret resource containing password for the
user used to authenticate with Vault using the UserPass authentication
method
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
username
string required
Username is a user name used to authenticate using the UserPass Vault
authentication method
caBundle
string
PEM encoded CA bundle used to validate Vault server certificate. Only used
if the Server URL is using HTTPS protocol. This parameter is ignored for
plain HTTP protocol connection. If not set the system root certificates
are used to validate the TLS connection.
format:
bytecaProvider object
The provider for the CA bundle to use to validate Vault server certificate.
key
string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string required
The name of the object located at the provider type.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace the Provider type is in.
Can only be defined when used in a ClusterSecretStore.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
type
string required
The type of provider to use such as "Secret", or "ConfigMap".
enum:
Secret, ConfigMap
forwardInconsistent
boolean
ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
leader instead of simply retrying within a loop. This can increase performance if
the option is enabled serverside.
https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
headers
object
Headers to be added in Vault request
namespace
string
Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
Vault environments to support Secure Multi-tenancy. e.g: "ns1".
More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
path
string
Path is the mount path of the Vault KV backend endpoint, e.g:
"secret". The v2 KV secret engine version specific "/data" path suffix
for fetching secrets from Vault is optional and will be appended
if not present in specified path.
readYourWrites
boolean
ReadYourWrites ensures isolated read-after-write semantics by
providing discovered cluster replication states in each request.
More information about eventual consistency in Vault can be found here
https://www.vaultproject.io/docs/enterprise/consistency
server
string required
Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
tls object
The configuration used for client side related TLS communication, when the Vault server
requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
This parameter is ignored for plain HTTP protocol connection.
It's worth noting this configuration is different from the "TLS certificates auth method",
which is available under the `auth.cert` section.
certSecretRef object
CertSecretRef is a certificate added to the transport layer
when communicating with the Vault server.
If no key for the Secret is specified, external-secret will default to 'tls.crt'.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63keySecretRef object
KeySecretRef to a key in a Secret resource containing client private key
added to the transport layer when communicating with the Vault server.
If no key for the Secret is specified, external-secret will default to 'tls.key'.
key
string
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
version
string
Version is the Vault KV secret engine version. This can be either "v1" or
"v2". Version defaults to "v2".
enum:
v1, v2
resultType
string
Result type defines which data is returned from the generator.
By default it is the "data" section of the Vault API response.
When using e.g. /auth/token/create the "data" section is empty but
the "auth" section contains the generated token.
Please refer to the vault docs regarding the result data structure.
Additionally, accessing the raw response is possibly by using "Raw" result type.
enum:
Data, Auth, RawretrySettings object
Used to configure http retries if failed
maxRetries
integer
format:
int32
retryInterval
string
webhookSpec object
WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
body
string
Body
caBundle
string
PEM encoded CA bundle used to validate webhook server certificate. Only used
if the Server URL is using HTTPS protocol. This parameter is ignored for
plain HTTP protocol connection. If not set the system root certificates
are used to validate the TLS connection.
format:
bytecaProvider object
The provider for the CA bundle to use to validate webhook server certificate.
key
string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string required
The name of the object located at the provider type.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
namespace
string
The namespace the Provider type is in.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$minLength:
1maxLength:
63
type
string required
The type of provider to use such as "Secret", or "ConfigMap".
enum:
Secret, ConfigMap
headers
object
Headers
method
string
Webhook Method
result object required
Result formatting
jsonPath
string
Json path of return value
secrets []object
Secrets to fill in templates
These secrets will be passed to the templating function as key value pairs under the given name
name
string required
Name of this secret in templates
secretRef object required
Secret ref to fill in credentials
key
string
The key where the token is found.
pattern:
^[-._a-zA-Z0-9]+$minLength:
1maxLength:
253
name
string
The name of the Secret resource being referred to.
pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$minLength:
1maxLength:
253
timeout
string
Timeout
url
string required
Webhook url to call
kind
string required
Kind the kind of this generator.
enum:
ACRAccessToken, ECRAuthorizationToken, Fake, GCRAccessToken, GithubAccessToken, QuayAccessToken, Password, STSSessionToken, UUID, VaultDynamicSecret, Webhook, GrafanaNo matches. Try .spec.generator for an exact path