← Back to index Esc
Kind
Secretstore
Group
external-secrets.io
Version
v1beta1
apiVersion: external-secrets.io/v1beta1 kind: Secretstore metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
SecretStoreSpec defines the desired state of SecretStore.
conditions []object
Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
namespaceRegexes []string
Choose namespaces by using regex matching
namespaceSelector object
Choose namespace using a labelSelector
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaces []string
Choose namespaces by name
controller string
Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property
provider object required
Used to configure the provider. Only one provider may be set
akeyless object
Akeyless configures this store to sync secrets using Akeyless Vault provider
akeylessGWApiURL string required
Akeyless GW API Url from which the secrets to be fetched from.
authSecretRef object required
Auth configures how the operator authenticates with Akeyless.
kubernetesAuth object
Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
accessID string required
the Akeyless Kubernetes auth-method access-id
k8sConfName string required
Kubernetes-auth configuration name in Akeyless-Gateway
secretRef object
Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceAccountRef object
Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretRef object
Reference to a Secret that contains the details to authenticate with Akeyless.
accessID object
The SecretAccessID is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
accessType object
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
accessTypeParam object
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
caBundle string
PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
format: byte
caProvider object
The provider for the CA bundle to use to validate Akeyless Gateway certificate.
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
alibaba object
Alibaba configures this store to sync secrets using Alibaba Cloud provider
auth object required
AlibabaAuth contains a secretRef for credentials.
rrsa object
AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
oidcProviderArn string required
oidcTokenFilePath string required
roleArn string required
sessionName string required
secretRef object
AlibabaAuthSecretRef holds secret references for Alibaba credentials.
accessKeyIDSecretRef object required
The AccessKeyID is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
accessKeySecretSecretRef object required
The AccessKeySecret is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
regionID string required
Alibaba Region to be used for the provider
aws object
AWS configures this store to sync secrets using AWS Secret Manager provider
additionalRoles []string
AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
auth object
Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
jwt object
AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
serviceAccountRef object
ServiceAccountSelector is a reference to a ServiceAccount resource.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretRef object
AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
accessKeyIDSecretRef object
The AccessKeyID is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
sessionTokenSecretRef object
The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
externalID string
AWS External ID set on assumed IAM roles
prefix string
Prefix adds a prefix to all retrieved values.
region string required
AWS Region to be used for the provider
role string
Role is a Role ARN which the provider will assume
secretsManager object
SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
forceDeleteWithoutRecovery boolean
Specifies whether to delete the secret without any recovery window. You can't use both this parameter and RecoveryWindowInDays in the same call. If you don't use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
recoveryWindowInDays integer
The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can't use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don't use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
format: int64
service string required
Service defines which service should be used to fetch the secrets
enum: SecretsManager, ParameterStore
sessionTags []object
AWS STS assume role session tags
key string required
value string required
transitiveTagKeys []string
AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
azurekv object
AzureKV configures this store to sync secrets using Azure Key Vault provider
authSecretRef object
Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
clientCertificate object
The Azure ClientCertificate of the service principle used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
clientId object
The Azure clientId of the service principle or managed identity used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
clientSecret object
The Azure ClientSecret of the service principle used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
tenantId object
The Azure tenantId of the managed identity used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
authType string
Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
enum: ServicePrincipal, ManagedIdentity, WorkloadIdentity
environmentType string
EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
enum: PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
identityId string
If multiple Managed Identity is assigned to the pod, you can select the one to be used
serviceAccountRef object
ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
tenantId string
TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
vaultUrl string required
Vault Url from which the secrets to be fetched from.
beyondtrust object
Beyondtrust configures this store to sync secrets using Password Safe provider.
auth object required
Auth configures how the operator authenticates with Beyondtrust.
apiKey object
APIKey If not provided then ClientID/ClientSecret become required.
secretRef object
SecretRef references a key in a secret that will be used as value.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
value string
Value can be specified directly to set a value without using a secret.
certificate object
Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
secretRef object
SecretRef references a key in a secret that will be used as value.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
value string
Value can be specified directly to set a value without using a secret.
certificateKey object
Certificate private key (key.pem). For use when authenticating with an OAuth client Id
secretRef object
SecretRef references a key in a secret that will be used as value.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
value string
Value can be specified directly to set a value without using a secret.
clientId object
ClientID is the API OAuth Client ID.
secretRef object
SecretRef references a key in a secret that will be used as value.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
value string
Value can be specified directly to set a value without using a secret.
clientSecret object
ClientSecret is the API OAuth Client Secret.
secretRef object
SecretRef references a key in a secret that will be used as value.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
value string
Value can be specified directly to set a value without using a secret.
server object required
Auth configures how API server works.
apiUrl string required
apiVersion string
clientTimeOutSeconds integer
Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
decrypt boolean
When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.
retrievalType string
The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
separator string
A character that separates the folder names.
verifyCA boolean required
bitwardensecretsmanager object
BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
apiURL string
auth object required
Auth configures how secret-manager authenticates with a bitwarden machine account instance. Make sure that the token being used has permissions on the given secret.
secretRef object required
BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
credentials object required
AccessToken used for the bitwarden instance.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
bitwardenServerSDKURL string
caBundle string
Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack can be performed.
caProvider object
see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
identityURL string
organizationID string required
OrganizationID determines which organization this secret store manages.
projectID string required
ProjectID determines which project this secret store manages.
chef object
Chef configures this store to sync secrets with chef server
auth object required
Auth defines the information necessary to authenticate against chef Server
secretRef object required
ChefAuthSecretRef holds secret references for chef server login credentials.
privateKeySecretRef object required
SecretKey is the Signing Key in PEM format, used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serverUrl string required
ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
username string required
UserName should be the user ID on the chef server
cloudrusm object
CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
auth object required
CSMAuth contains a secretRef for credentials.
secretRef object
CSMAuthSecretRef holds secret references for Cloud.ru credentials.
accessKeyIDSecretRef object required
The AccessKeyID is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
accessKeySecretSecretRef object required
The AccessKeySecret is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
projectID string
ProjectID is the project, which the secrets are stored in.
conjur object
Conjur configures this store to sync secrets using conjur provider
auth object required
Defines authentication settings for connecting to Conjur.
apikey object
Authenticates with Conjur using an API key.
account string required
Account is the Conjur organization account name.
apiKeyRef object required
A reference to a specific 'key' containing the Conjur API key within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
userRef object required
A reference to a specific 'key' containing the Conjur username within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
jwt object
Jwt enables JWT authentication using Kubernetes service account tokens.
account string required
Account is the Conjur organization account name.
hostId string
Optional HostID for JWT authentication. This may be used depending on how the Conjur JWT authenticator policy is configured.
secretRef object
Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceAccountRef object
Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceID string required
The conjur authn jwt webservice id
caBundle string
CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
caProvider object
Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
url string required
URL is the endpoint of the Conjur instance.
delinea object
Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
clientId object required
ClientID is the non-secret part of the credential.
secretRef object
SecretRef references a key in a secret that will be used as value.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
value string
Value can be specified directly to set a value without using a secret.
clientSecret object required
ClientSecret is the secret part of the credential.
secretRef object
SecretRef references a key in a secret that will be used as value.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
value string
Value can be specified directly to set a value without using a secret.
tenant string required
Tenant is the chosen hostname / site name.
tld string
TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com".
urlTemplate string
URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
device42 object
Device42 configures this store to sync secrets using the Device42 provider
auth object required
Auth configures how secret-manager authenticates with a Device42 instance.
secretRef object required
Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
credentials object
Username / Password is used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
host string required
URL configures the Device42 instance URL.
doppler object
Doppler configures this store to sync secrets using the Doppler provider
auth object required
Auth configures how the Operator authenticates with the Doppler API
secretRef object required
DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
dopplerToken object required
The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
config string
Doppler config (required if not using a Service Token)
format string
Format enables the downloading of secrets as a file (string)
enum: json, dotnet-json, env, yaml, docker
nameTransformer string
Environment variable compatible name transforms that change secret names to a different format
enum: upper-camel, camel, lower-snake, tf-var, dotnet-env, lower-kebab
project string
Doppler project (required if not using a Service Token)
fake object
Fake configures a store with static key/value pairs
data []object required
key string required
value string required
version string
fortanix object
Fortanix configures this store to sync secrets using the Fortanix provider
apiKey object
APIKey is the API token to access SDKMS Applications.
secretRef object
SecretRef is a reference to a secret containing the SDKMS API Key.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
apiUrl string
APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
gcpsm object
GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
auth object
Auth defines the information necessary to authenticate against GCP
secretRef object
GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
workloadIdentity object
GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
clusterLocation string
ClusterLocation is the location of the cluster If not specified, it fetches information from the metadata server
clusterName string
ClusterName is the name of the cluster If not specified, it fetches information from the metadata server
clusterProjectID string
ClusterProjectID is the project ID of the cluster If not specified, it fetches information from the metadata server
serviceAccountRef object required
ServiceAccountSelector is a reference to a ServiceAccount resource.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
location string
Location optionally defines a location for a secret
projectID string
ProjectID project where secret is located
github object
Github configures this store to push GitHub Actions secrets using the GitHub API provider.
appID integer required
appID specifies the Github APP that will be used to authenticate the client
format: int64
auth object required
auth configures how secret-manager authenticates with a Github instance.
privateKey object required
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
environment string
environment will be used to fetch secrets from a particular environment within a github repository
installationID integer required
installationID specifies the Github APP installation that will be used to authenticate the client
format: int64
organization string required
organization will be used to fetch secrets from the Github organization
repository string
repository will be used to fetch secrets from the Github repository within an organization
uploadURL string
Upload URL for enterprise instances. Default to URL.
url string
URL configures the Github instance URL. Defaults to https://github.com/.
gitlab object
GitLab configures this store to sync secrets using GitLab Variables provider
auth object required
Auth configures how secret-manager authenticates with a GitLab instance.
SecretRef object required
GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
accessToken object
AccessToken is used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
caBundle string
Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack can be performed.
format: byte
caProvider object
see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
environment string
Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
groupIDs []string
GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
inheritFromGroups boolean
InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
projectID string
ProjectID specifies a project where secrets are located.
url string
URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
ibm object
IBM configures this store to sync secrets using IBM Cloud provider
auth object required
Auth configures how secret-manager authenticates with the IBM secrets manager.
containerAuth object
IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
iamEndpoint string
profile string required
the IBM Trusted Profile
tokenLocation string
Location the token is mounted on the pod
secretRef object
IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
secretApiKeySecretRef object
The SecretAccessKey is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceUrl string
ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
infisical object
Infisical configures this store to sync secrets using the Infisical provider
auth object required
Auth configures how the Operator authenticates with the Infisical API
universalAuthCredentials object
UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
clientId object required
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
clientSecret object required
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
hostAPI string
HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
secretsScope object required
SecretsScope defines the scope of the secrets within the workspace
environmentSlug string required
EnvironmentSlug is the required slug identifier for the environment.
expandSecretReferences boolean
ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
projectSlug string required
ProjectSlug is the required slug identifier for the project.
recursive boolean
Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
secretsPath string
SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
keepersecurity object
KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
authRef object required
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
folderID string required
kubernetes object
Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
auth object
Auth configures how secret-manager authenticates with a Kubernetes instance.
cert object
has both clientCert and clientKey as secretKeySelector
clientCert object
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
clientKey object
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceAccount object
points to a service account that should be used for authentication
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
token object
use static token to authenticate with
bearerToken object
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
authRef object
A reference to a secret that contains the auth information.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
remoteNamespace string
Remote namespace to fetch the secrets from
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
server object
configures the Kubernetes server Address.
caBundle string
CABundle is a base64-encoded CA certificate
format: byte
caProvider object
see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
url string
configures the Kubernetes server Address.
onboardbase object
Onboardbase configures this store to sync secrets using the Onboardbase provider
apiHost string required
APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
auth object required
Auth configures how the Operator authenticates with the Onboardbase API
apiKeyRef object required
OnboardbaseAPIKey is the APIKey generated by an admin account. It is used to recognize and authorize access to a project and environment within onboardbase
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
passcodeRef object required
OnboardbasePasscode is the passcode attached to the API Key
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
environment string required
Environment is the name of an environmnent within a project to pull the secrets from
project string required
Project is an onboardbase project that the secrets should be pulled from
onepassword object
OnePassword configures this store to sync secrets using the 1Password Cloud provider
auth object required
Auth defines the information necessary to authenticate against OnePassword Connect Server
secretRef object required
OnePasswordAuthSecretRef holds secret references for 1Password credentials.
connectTokenSecretRef object required
The ConnectToken is used for authentication to a 1Password Connect Server.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
connectHost string required
ConnectHost defines the OnePassword Connect Server to connect to
vaults object required
Vaults defines which OnePassword vaults to search in which order
oracle object
Oracle configures this store to sync secrets using Oracle Vault provider
auth object
Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
secretRef object required
SecretRef to pass through sensitive information.
fingerprint object required
Fingerprint is the fingerprint of the API private key.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
privatekey object required
PrivateKey is the user's API Signing Key in PEM format, used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
tenancy string required
Tenancy is the tenancy OCID where user is located.
user string required
User is an access OCID specific to the account.
compartment string
Compartment is the vault compartment OCID. Required for PushSecret
encryptionKey string
EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
principalType string
The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
enum: , UserPrincipal, InstancePrincipal, Workload
region string required
Region is the region where vault is located.
serviceAccountRef object
ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
vault string required
Vault is the vault's OCID of the specific vault where secret is located.
passbolt object
PassboltProvider defines configuration for the Passbolt provider.
auth object required
Auth defines the information necessary to authenticate against Passbolt Server
passwordSecretRef object required
PasswordSecretRef is a reference to the secret containing the Passbolt password
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
privateKeySecretRef object required
PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
host string required
Host defines the Passbolt Server to connect to
passworddepot object
PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
auth object required
Auth configures how secret-manager authenticates with a Password Depot instance.
secretRef object required
PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
credentials object
Username / Password is used for authentication.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
database string required
Database to use as source
host string required
URL configures the Password Depot instance URL.
previder object
Previder configures this store to sync secrets using the Previder provider
auth object required
PreviderAuth contains a secretRef for credentials.
secretRef object
PreviderAuthSecretRef holds secret references for Previder Vault credentials.
accessToken object required
The AccessToken is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
baseUri string
pulumi object
Pulumi configures this store to sync secrets using the Pulumi provider
accessToken object required
AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
secretRef object
SecretRef is a reference to a secret containing the Pulumi API token.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
apiUrl string
APIURL is the URL of the Pulumi API.
environment string required
Environment are YAML documents composed of static key-value pairs, programmatic expressions, dynamically retrieved values from supported providers including all major clouds, and other Pulumi ESC environments. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
organization string required
Organization are a space to collaborate on shared projects and stacks. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
project string required
Project is the name of the Pulumi ESC project the environment belongs to.
scaleway object
Scaleway configures this store to sync secrets using the Scaleway provider.
accessKey object required
AccessKey is the non-secret part of the api key.
secretRef object
SecretRef references a key in a secret that will be used as value.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
value string
Value can be specified directly to set a value without using a secret.
apiUrl string
APIURL is the url of the api to use. Defaults to https://api.scaleway.com
projectId string required
ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings
region string required
Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone
secretKey object required
SecretKey is the non-secret part of the api key.
secretRef object
SecretRef references a key in a secret that will be used as value.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
value string
Value can be specified directly to set a value without using a secret.
secretserver object
SecretServer configures this store to sync secrets using SecretServer provider https://docs.delinea.com/online-help/secret-server/start.htm
password object required
Password is the secret server account password.
secretRef object
SecretRef references a key in a secret that will be used as value.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
value string
Value can be specified directly to set a value without using a secret.
serverURL string required
ServerURL URL to your secret server installation
username object required
Username is the secret server account username.
secretRef object
SecretRef references a key in a secret that will be used as value.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
value string
Value can be specified directly to set a value without using a secret.
senhasegura object
Senhasegura configures this store to sync secrets using senhasegura provider
auth object required
Auth defines parameters to authenticate in senhasegura
clientId string required
clientSecretSecretRef object required
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
ignoreSslCertificate boolean
IgnoreSslCertificate defines if SSL certificate must be ignored
module string required
Module defines which senhasegura module should be used to get secrets
url string required
URL of senhasegura
vault object
Vault configures this store to sync secrets using the HashiCorp Vault provider.
auth object
Auth configures how secret-manager authenticates with the Vault server.
appRole object
AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
path string required
Path where the App Role authentication backend is mounted in Vault, e.g: "approle"
roleId string
RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
roleRef object
Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretRef object required
Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
cert object
Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
clientCert object
ClientCert is a certificate to authenticate using the Cert Vault authentication method
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretRef object
SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
iam object
Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
externalID string
AWS External ID set on assumed IAM roles
jwt object
Specify a service account with IRSA enabled
serviceAccountRef object
ServiceAccountSelector is a reference to a ServiceAccount resource.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
path string
Path where the AWS auth method is enabled in Vault, e.g: "aws"
region string
AWS region
role string
This is the AWS role to be assumed before talking to vault
secretRef object
Specify credentials in a Secret object
accessKeyIDSecretRef object
The AccessKeyID is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
secretAccessKeySecretRef object
The SecretAccessKey is used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
sessionTokenSecretRef object
The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
vaultAwsIamServerID string
X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws
vaultRole string required
Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
jwt object
Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
kubernetesServiceAccountToken object
Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
audiences []string
Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead
expirationSeconds integer
Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.
format: int64
serviceAccountRef object required
Service account field containing the name of a kubernetes ServiceAccount.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
path string required
Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"
role string
Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
secretRef object
Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
kubernetes object
Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
mountPath string required
Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"
role string required
A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
secretRef object
Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
serviceAccountRef object
Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
audiences []string
Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
name string required
The name of the ServiceAccount resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
ldap object
Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
path string required
Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"
secretRef object
SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
username string required
Username is an LDAP username used to authenticate using the LDAP Vault authentication method
namespace string
Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces This will default to Vault.Namespace field if set, or empty otherwise
tokenSecretRef object
TokenSecretRef authenticates with Vault by presenting a token.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
userPass object
UserPass authenticates with Vault by passing username/password pair
path string required
Path where the UserPassword authentication backend is mounted in Vault, e.g: "userpass"
secretRef object
SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
username string required
Username is a username used to authenticate using the UserPass Vault authentication method
caBundle string
PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
caProvider object
The provider for the CA bundle to use to validate Vault server certificate.
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
forwardInconsistent boolean
ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
headers object
Headers to be added in Vault request
namespace string
Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
path string
Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.
readYourWrites boolean
ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
server string required
Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
tls object
The configuration used for client side related TLS communication, when the Vault server requires mutual authentication. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. It's worth noting this configuration is different from the "TLS certificates auth method", which is available under the `auth.cert` section.
certSecretRef object
CertSecretRef is a certificate added to the transport layer when communicating with the Vault server. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
keySecretRef object
KeySecretRef to a key in a Secret resource containing client private key added to the transport layer when communicating with the Vault server. If no key for the Secret is specified, external-secret will default to 'tls.key'.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
version string
Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
enum: v1, v2
webhook object
Webhook configures this store to sync secrets using a generic templated webhook
auth object
Auth specifies a authorization protocol. Only one protocol may be set.
ntlm object
NTLMProtocol configures the store to use NTLM for auth
passwordSecret object required
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
usernameSecret object required
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
body string
Body
caBundle string
PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
format: byte
caProvider object
The provider for the CA bundle to use to validate webhook server certificate.
key string
The key where the CA certificate can be found in the Secret or ConfigMap.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string required
The name of the object located at the provider type.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace the Provider type is in.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
type string required
The type of provider to use such as "Secret", or "ConfigMap".
enum: Secret, ConfigMap
headers object
Headers
method string
Webhook Method
result object required
Result formatting
jsonPath string
Json path of return value
secrets []object
Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
name string required
Name of this secret in templates
secretRef object required
Secret ref to fill in credentials
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
timeout string
Timeout
url string required
Webhook url to call
yandexcertificatemanager object
YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
apiEndpoint string
Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
auth object required
Auth defines the information necessary to authenticate against Yandex Certificate Manager
authorizedKeySecretRef object
The authorized key used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
caProvider object
The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
certSecretRef object
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
yandexlockbox object
YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
apiEndpoint string
Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
auth object required
Auth defines the information necessary to authenticate against Yandex Lockbox
authorizedKeySecretRef object
The authorized key used for authentication
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
caProvider object
The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
certSecretRef object
SecretKeySelector is a reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
key string
A key in the referenced Secret. Some instances of this field may be defaulted, in others it may be required.
pattern: ^[-._a-zA-Z0-9]+$
minLength: 1
maxLength: 253
name string
The name of the Secret resource being referred to.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
namespace string
The namespace of the Secret resource being referred to. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
refreshInterval integer
Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
retrySettings object
Used to configure HTTP retries on failures.
maxRetries integer
MaxRetries is the maximum number of retry attempts.
format: int32
retryInterval string
RetryInterval is the interval between retry attempts.
status object
SecretStoreStatus defines the observed state of the SecretStore.
capabilities string
SecretStoreCapabilities defines the possible operations a SecretStore can do.
conditions []object
lastTransitionTime string
format: date-time
message string
reason string
status string required
type string required
SecretStoreConditionType represents the condition type of the SecretStore.
Copied!