{ "description": "BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials.\nThis generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials\n(such as AWS STS credentials) each time an ExternalSecret is refreshed.\nDynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced.\nFor complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" ] }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": [ "string", "null" ] }, "metadata": { "type": [ "object", "null" ] }, "spec": { "additionalProperties": false, "description": "BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.\nThis generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.\nFor more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api", "properties": { "controller": { "description": "Controller selects the controller that should handle this generator.\nLeave empty to use the default controller.", "type": [ "string", "null" ] }, "provider": { "additionalProperties": false, "description": "Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,\nserver connection details, and the folder path to the dynamic secret definition.\nThe folderPath should point to a dynamic secret definition that has been created in\nBeyondTrust Workload Credentials (e.g., \"production/aws-temp\").\nFor setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api", "properties": { "auth": { "additionalProperties": false, "description": "Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.\nCurrently supports API key authentication via Kubernetes secret reference.\nFor authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication", "properties": { "apikey": { "additionalProperties": false, "description": "APIKey configures API token authentication for BeyondTrust Workload Credentials.\nThe token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.", "properties": { "token": { "additionalProperties": false, "description": "Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.\nThe secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.\nCreate an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.\nFor details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", "maxLength": 253, "minLength": 1, "pattern": "^[-._a-zA-Z0-9]+$", "type": [ "string", "null" ] }, "name": { "description": "The name of the Secret resource being referred to.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": [ "string", "null" ] }, "namespace": { "description": "The namespace of the Secret resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": [ "string", "null" ] } }, "type": "object" } }, "required": [ "token" ], "type": "object" } }, "required": [ "apikey" ], "type": "object" }, "caBundle": { "description": "CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.\nUse this when your BeyondTrust instance uses a self-signed certificate or internal CA.\nIf not set, the system's trusted root certificates are used.", "format": "byte", "type": [ "string", "null" ] }, "caProvider": { "additionalProperties": false, "description": "CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.\nThis is used to validate the BeyondTrust Workload Credentials API TLS certificate.\nUse this as an alternative to CABundle when you want to reference an existing Kubernetes resource.", "properties": { "key": { "description": "The key where the CA certificate can be found in the Secret or ConfigMap.", "maxLength": 253, "minLength": 1, "pattern": "^[-._a-zA-Z0-9]+$", "type": [ "string", "null" ] }, "name": { "description": "The name of the object located at the provider type.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "namespace": { "description": "The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": [ "string", "null" ] }, "type": { "description": "The type of provider to use such as \"Secret\", or \"ConfigMap\".", "enum": [ "Secret", "ConfigMap" ], "type": "string" } }, "required": [ "name", "type" ], "type": [ "object", "null" ] }, "folderPath": { "description": "FolderPath specifies the default folder path for secret retrieval.\nSecrets will be fetched from this folder unless overridden in the ExternalSecret spec.\nExample: \"production/database\" or \"dev/api-keys\"\nLeave empty to retrieve secrets from the root folder.\nFor folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders", "type": [ "string", "null" ] }, "server": { "additionalProperties": false, "description": "Server configures the BeyondTrust Workload Credentials server connection details.\nIncludes the API URL and Site ID for your BeyondTrust instance.\nFor API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api", "properties": { "apiUrl": { "description": "APIURL is the base URL of your BeyondTrust Workload Credentials API server.\nThis should be the full URL to your BeyondTrust instance.\nExample: https://api.beyondtrust.io/siie\nFor more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url", "type": "string" }, "siteId": { "description": "SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).\nThis identifier is unique to your BeyondTrust Workload Credentials instance.\nYou can find your Site ID in the BeyondTrust Workload Credentials admin console.\nExample: a1b2c3d4-e5f6-4890-abcd-ef1234567890\nFor more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api", "type": "string" } }, "required": [ "apiUrl", "siteId" ], "type": "object" } }, "required": [ "auth", "server" ], "type": "object" }, "retrySettings": { "additionalProperties": false, "description": "RetrySettings configures exponential backoff for failed API requests.\nIf not specified, uses the default retry settings.", "properties": { "maxRetries": { "format": "int32", "type": [ "integer", "null" ] }, "retryInterval": { "type": [ "string", "null" ] } }, "type": [ "object", "null" ] } }, "required": [ "provider" ], "type": [ "object", "null" ] } }, "type": "object" }