diff --git a/external-secrets.io/externalsecret_v1.json b/external-secrets.io/externalsecret_v1.json index 7eed15a9..21bedd20 100644 --- a/external-secrets.io/externalsecret_v1.json +++ b/external-secrets.io/externalsecret_v1.json @@ -1,5 +1,5 @@ { - "description": "ExternalSecret is the Schema for the external-secrets API.", + "description": "ExternalSecret is the Schema for the external-secrets API.\nIt defines how to fetch data from external APIs and make it available as Kubernetes Secrets.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -167,6 +167,7 @@ "dataFrom": { "description": "DataFrom is used to fetch all properties from a specific Provider data\nIf multiple entries are specified, the Secret keys are merged in the specified order", "items": { + "description": "ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data\nwhen using DataFrom to fetch multiple values from a Provider.", "properties": { "extract": { "description": "Used to extract multiple key/value pairs from one secret\nNote: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.", @@ -271,6 +272,7 @@ "rewrite": { "description": "Used to rewrite secret Keys after getting them from the secret Provider\nMultiple Rewrite operations can be provided. They are applied in a layered order (first to last)", "items": { + "description": "ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.", "maxProperties": 1, "minProperties": 1, "properties": { @@ -442,8 +444,8 @@ "type": "array" }, "refreshInterval": { - "default": "1h", - "description": "RefreshInterval is the amount of time before the values are read again from the SecretStore provider,\nspecified as Golang Duration strings.\nValid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\", \"s\", \"m\", \"h\"\nExample values: \"1h\", \"2h30m\", \"10s\"\nMay be set to zero to fetch and create it once. Defaults to 1h.", + "default": "1h0m0s", + "description": "RefreshInterval is the amount of time before the values are read again from the SecretStore provider,\nspecified as Golang Duration strings.\nValid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\", \"s\", \"m\", \"h\"\nExample values: \"1h0m0s\", \"2h30m0s\", \"10m0s\"\nMay be set to \"0s\" to fetch and create it once. Defaults to 1h0m0s.", "type": "string" }, "refreshPolicy": { @@ -482,7 +484,7 @@ "creationPolicy": "Owner", "deletionPolicy": "Retain" }, - "description": "ExternalSecretTarget defines the Kubernetes Secret to be created\nThere can be only one target per ExternalSecret.", + "description": "ExternalSecretTarget defines the Kubernetes Secret to be created,\nthere can be only one target per ExternalSecret.", "properties": { "creationPolicy": { "default": "Owner", @@ -509,6 +511,27 @@ "description": "Immutable defines if the final secret will be immutable", "type": "boolean" }, + "manifest": { + "description": "Manifest defines a custom Kubernetes resource to create instead of a Secret.\nWhen specified, ExternalSecret will create the resource type defined here\n(e.g., ConfigMap, Custom Resource) instead of a Secret.\nWarning: Using Generic target. Make sure access policies and encryption are properly configured.", + "properties": { + "apiVersion": { + "description": "APIVersion of the target resource (e.g., \"v1\" for ConfigMap, \"argoproj.io/v1alpha1\" for ArgoCD Application)", + "minLength": 1, + "type": "string" + }, + "kind": { + "description": "Kind of the target resource (e.g., \"ConfigMap\", \"Application\")", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind" + ], + "type": "object", + "additionalProperties": false + }, "name": { "description": "The name of the Secret resource to be managed.\nDefaults to the .metadata.name of the ExternalSecret resource", "maxLength": 253, @@ -535,6 +558,7 @@ }, "mergePolicy": { "default": "Replace", + "description": "TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.", "enum": [ "Replace", "Merge" @@ -568,12 +592,15 @@ }, "templateFrom": { "items": { + "description": "TemplateFrom specifies a source for templates.\nEach item in the list can either reference a ConfigMap or a Secret resource.", "properties": { "configMap": { + "description": "TemplateRef specifies a reference to either a ConfigMap or a Secret resource.", "properties": { "items": { "description": "A list of keys in the ConfigMap/Secret to use as templates for Secret data", "items": { + "description": "TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.", "properties": { "key": { "description": "A key in the ConfigMap/Secret", @@ -584,6 +611,7 @@ }, "templateAs": { "default": "Values", + "description": "TemplateScope specifies how the template keys should be interpreted.", "enum": [ "Values", "KeysAndValues" @@ -618,10 +646,12 @@ "type": "string" }, "secret": { + "description": "TemplateRef specifies a reference to either a ConfigMap or a Secret resource.", "properties": { "items": { "description": "A list of keys in the ConfigMap/Secret to use as templates for Secret data", "items": { + "description": "TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.", "properties": { "key": { "description": "A key in the ConfigMap/Secret", @@ -632,6 +662,7 @@ }, "templateAs": { "default": "Values", + "description": "TemplateScope specifies how the template keys should be interpreted.", "enum": [ "Values", "KeysAndValues" @@ -664,11 +695,7 @@ }, "target": { "default": "Data", - "enum": [ - "Data", - "Annotations", - "Labels" - ], + "description": "Target specifies where to place the template result.\nFor Secret resources, common values are: \"Data\", \"Annotations\", \"Labels\".\nFor custom resources (when spec.target.manifest is set), this supports\nnested paths like \"spec.database.config\" or \"data\".", "type": "string" } }, @@ -693,6 +720,7 @@ "additionalProperties": false }, "status": { + "description": "ExternalSecretStatus defines the observed state of ExternalSecret.", "properties": { "binding": { "description": "Binding represents a servicebinding.io Provisioned Service reference to the secret", @@ -709,6 +737,7 @@ }, "conditions": { "items": { + "description": "ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource.", "properties": { "lastTransitionTime": { "format": "date-time", @@ -724,6 +753,7 @@ "type": "string" }, "type": { + "description": "ExternalSecretConditionType defines a value type for ExternalSecret conditions.", "enum": [ "Ready", "Deleted" diff --git a/external-secrets.io/externalsecret_v1beta1.json b/external-secrets.io/externalsecret_v1beta1.json index cb3f0f11..e7b5cbb3 100644 --- a/external-secrets.io/externalsecret_v1beta1.json +++ b/external-secrets.io/externalsecret_v1beta1.json @@ -1,5 +1,5 @@ { - "description": "ExternalSecret is the Schema for the external-secrets API.", + "description": "ExternalSecret is the schema for the external-secrets API.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -165,6 +165,7 @@ "dataFrom": { "description": "DataFrom is used to fetch all properties from a specific Provider data\nIf multiple entries are specified, the Secret keys are merged in the specified order", "items": { + "description": "ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.", "properties": { "extract": { "description": "Used to extract multiple key/value pairs from one secret\nNote: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.", @@ -269,6 +270,7 @@ "rewrite": { "description": "Used to rewrite secret Keys after getting them from the secret Provider\nMultiple Rewrite operations can be provided. They are applied in a layered order (first to last)", "items": { + "description": "ExternalSecretRewrite defines rules on how to rewrite secret keys.", "maxProperties": 1, "minProperties": 1, "properties": { @@ -392,8 +394,8 @@ "type": "array" }, "refreshInterval": { - "default": "1h", - "description": "RefreshInterval is the amount of time before the values are read again from the SecretStore provider,\nspecified as Golang Duration strings.\nValid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\", \"s\", \"m\", \"h\"\nExample values: \"1h\", \"2h30m\", \"10s\"\nMay be set to zero to fetch and create it once. Defaults to 1h.", + "default": "1h0m0s", + "description": "RefreshInterval is the amount of time before the values are read again from the SecretStore provider,\nspecified as Golang Duration strings.\nValid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\", \"s\", \"m\", \"h\"\nExample values: \"1h0m0s\", \"2h30m0s\", \"10m0s\"\nMay be set to \"0s\" to fetch and create it once. Defaults to 1h0m0s.", "type": "string" }, "refreshPolicy": { @@ -485,6 +487,7 @@ }, "mergePolicy": { "default": "Replace", + "description": "TemplateMergePolicy defines how template values should be merged when generating a secret.", "enum": [ "Replace", "Merge" @@ -512,12 +515,15 @@ }, "templateFrom": { "items": { + "description": "TemplateFrom defines a source for template data.", "properties": { "configMap": { + "description": "TemplateRef defines a reference to a template source in a ConfigMap or Secret.", "properties": { "items": { "description": "A list of keys in the ConfigMap/Secret to use as templates for Secret data", "items": { + "description": "TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.", "properties": { "key": { "description": "A key in the ConfigMap/Secret", @@ -528,6 +534,7 @@ }, "templateAs": { "default": "Values", + "description": "TemplateScope defines the scope of the template when processing template data.", "enum": [ "Values", "KeysAndValues" @@ -562,10 +569,12 @@ "type": "string" }, "secret": { + "description": "TemplateRef defines a reference to a template source in a ConfigMap or Secret.", "properties": { "items": { "description": "A list of keys in the ConfigMap/Secret to use as templates for Secret data", "items": { + "description": "TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.", "properties": { "key": { "description": "A key in the ConfigMap/Secret", @@ -576,6 +585,7 @@ }, "templateAs": { "default": "Values", + "description": "TemplateScope defines the scope of the template when processing template data.", "enum": [ "Values", "KeysAndValues" @@ -608,6 +618,7 @@ }, "target": { "default": "Data", + "description": "TemplateTarget defines the target field where the template result will be stored.", "enum": [ "Data", "Annotations", @@ -637,6 +648,7 @@ "additionalProperties": false }, "status": { + "description": "ExternalSecretStatus defines the observed state of ExternalSecret.", "properties": { "binding": { "description": "Binding represents a servicebinding.io Provisioned Service reference to the secret", @@ -653,6 +665,7 @@ }, "conditions": { "items": { + "description": "ExternalSecretStatusCondition contains condition information for an ExternalSecret.", "properties": { "lastTransitionTime": { "format": "date-time", @@ -668,6 +681,7 @@ "type": "string" }, "type": { + "description": "ExternalSecretConditionType defines the condition type for an ExternalSecret.", "type": "string" } }, diff --git a/external-secrets.io/pushsecret_v1alpha1.json b/external-secrets.io/pushsecret_v1alpha1.json index d4f9d2e1..f67cccce 100644 --- a/external-secrets.io/pushsecret_v1alpha1.json +++ b/external-secrets.io/pushsecret_v1alpha1.json @@ -1,4 +1,5 @@ { + "description": "PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -17,6 +18,7 @@ "data": { "description": "Secret Data that should be pushed to providers", "items": { + "description": "PushSecretData defines data to be pushed to the provider and associated metadata.", "properties": { "conversionStrategy": { "default": "None", @@ -82,12 +84,13 @@ "type": "string" }, "refreshInterval": { - "default": "1h", + "default": "1h0m0s", "description": "The Interval to which External Secrets will try to push a secret definition", "type": "string" }, "secretStoreRefs": { "items": { + "description": "PushSecretStoreRef contains a reference on how to sync to a SecretStore.", "properties": { "kind": { "default": "SecretStore", @@ -176,6 +179,7 @@ "enum": [ "ACRAccessToken", "ClusterGenerator", + "CloudsmithAccessToken", "ECRAuthorizationToken", "Fake", "GCRAccessToken", @@ -291,6 +295,7 @@ }, "mergePolicy": { "default": "Replace", + "description": "TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.", "enum": [ "Replace", "Merge" @@ -306,6 +311,12 @@ }, "type": "object" }, + "finalizers": { + "items": { + "type": "string" + }, + "type": "array" + }, "labels": { "additionalProperties": { "type": "string" @@ -318,12 +329,15 @@ }, "templateFrom": { "items": { + "description": "TemplateFrom specifies a source for templates.\nEach item in the list can either reference a ConfigMap or a Secret resource.", "properties": { "configMap": { + "description": "TemplateRef specifies a reference to either a ConfigMap or a Secret resource.", "properties": { "items": { "description": "A list of keys in the ConfigMap/Secret to use as templates for Secret data", "items": { + "description": "TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.", "properties": { "key": { "description": "A key in the ConfigMap/Secret", @@ -334,6 +348,7 @@ }, "templateAs": { "default": "Values", + "description": "TemplateScope specifies how the template keys should be interpreted.", "enum": [ "Values", "KeysAndValues" @@ -368,10 +383,12 @@ "type": "string" }, "secret": { + "description": "TemplateRef specifies a reference to either a ConfigMap or a Secret resource.", "properties": { "items": { "description": "A list of keys in the ConfigMap/Secret to use as templates for Secret data", "items": { + "description": "TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.", "properties": { "key": { "description": "A key in the ConfigMap/Secret", @@ -382,6 +399,7 @@ }, "templateAs": { "default": "Values", + "description": "TemplateScope specifies how the template keys should be interpreted.", "enum": [ "Values", "KeysAndValues" @@ -414,11 +432,7 @@ }, "target": { "default": "Data", - "enum": [ - "Data", - "Annotations", - "Labels" - ], + "description": "Target specifies where to place the template result.\nFor Secret resources, common values are: \"Data\", \"Annotations\", \"Labels\".\nFor custom resources (when spec.target.manifest is set), this supports\nnested paths like \"spec.database.config\" or \"data\".", "type": "string" } }, @@ -494,6 +508,7 @@ "syncedPushSecrets": { "additionalProperties": { "additionalProperties": { + "description": "PushSecretData defines data to be pushed to the provider and associated metadata.", "properties": { "conversionStrategy": { "default": "None", diff --git a/external-secrets.io/secretstore_v1.json b/external-secrets.io/secretstore_v1.json index 63a9548e..34b8e52c 100644 --- a/external-secrets.io/secretstore_v1.json +++ b/external-secrets.io/secretstore_v1.json @@ -16,7 +16,7 @@ "description": "SecretStoreSpec defines the desired state of SecretStore.", "properties": { "conditions": { - "description": "Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore", + "description": "Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.", "items": { "description": "ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in\nfor a ClusterSecretStore instance.", "properties": { @@ -219,7 +219,7 @@ "additionalProperties": false }, "accessType": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -247,7 +247,7 @@ "additionalProperties": false }, "accessTypeParam": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -342,7 +342,7 @@ "description": "AlibabaAuth contains a secretRef for credentials.", "properties": { "rrsa": { - "description": "Authenticate against Alibaba using RRSA.", + "description": "AlibabaRRSAAuth authenticates against Alibaba using RRSA.", "properties": { "oidcProviderArn": { "type": "string" @@ -463,10 +463,10 @@ "description": "Auth defines the information necessary to authenticate against AWS\nif not set aws sdk will infer credentials from your environment\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials", "properties": { "jwt": { - "description": "Authenticate against AWS using service account tokens.", + "description": "AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.", "properties": { "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", @@ -619,7 +619,7 @@ "type": "boolean" }, "recoveryWindowInDays": { - "description": "The number of days from 7 to 30 that Secrets Manager waits before\npermanently deleting the secret. You can't use both this parameter and\nForceDeleteWithoutRecovery in the same call. If you don't use either,\nthen by default Secrets Manager uses a 30 day recovery window.\nsee: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays", + "description": "The number of days from 7 to 30 that Secrets Manager waits before\npermanently deleting the secret. You can't use both this parameter and\nForceDeleteWithoutRecovery in the same call. If you don't use either,\nthen by default Secrets Manager uses a 30-day recovery window.\nsee: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays", "format": "int64", "type": "integer" } @@ -638,6 +638,7 @@ "sessionTags": { "description": "AWS STS assume role session tags", "items": { + "description": "Tag is a key-value pair that can be attached to an AWS resource.\nsee: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html", "properties": { "key": { "type": "string" @@ -803,7 +804,7 @@ "type": "string" }, "customCloudConfig": { - "description": "CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.\nRequired when EnvironmentType is AzureStackCloud.\nIMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud\nconfiguration is not supported with the legacy go-autorest SDK.", + "description": "CustomCloudConfig defines custom Azure endpoints for non-standard clouds.\nRequired when EnvironmentType is AzureStackCloud.\nOptional for other environment types - useful for Azure China when using Workload Identity\nwith AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the\nstandard China Cloud endpoint (login.chinacloudapi.cn).\nIMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud\nconfiguration is not supported with the legacy go-autorest SDK.", "properties": { "activeDirectoryEndpoint": { "description": "ActiveDirectoryEndpoint is the AAD endpoint for authentication\nRequired when using custom cloud configuration", @@ -895,6 +896,117 @@ "type": "object", "additionalProperties": false }, + "barbican": { + "description": "Barbican configures this store to sync secrets using the OpenStack Barbican provider", + "properties": { + "auth": { + "description": "BarbicanAuth contains the authentication information for Barbican.", + "properties": { + "password": { + "description": "BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.", + "properties": { + "secretRef": { + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "properties": { + "key": { + "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[-._a-zA-Z0-9]+$", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "The namespace of the Secret resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "secretRef" + ], + "type": "object", + "additionalProperties": false + }, + "username": { + "description": "BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.", + "maxProperties": 1, + "minProperties": 1, + "properties": { + "secretRef": { + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "properties": { + "key": { + "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[-._a-zA-Z0-9]+$", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "The namespace of the Secret resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "value": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "password", + "username" + ], + "type": "object", + "additionalProperties": false + }, + "authURL": { + "type": "string" + }, + "domainName": { + "type": "string" + }, + "region": { + "type": "string" + }, + "tenantName": { + "type": "string" + } + }, + "required": [ + "auth" + ], + "type": "object", + "additionalProperties": false + }, "beyondtrust": { "description": "Beyondtrust configures this store to sync secrets using Password Safe provider.", "properties": { @@ -1746,6 +1858,7 @@ "description": "Auth configures how secret-manager authenticates with a Device42 instance.", "properties": { "secretRef": { + "description": "Device42SecretRef contains the secret reference for accessing the Device42 instance.", "properties": { "credentials": { "description": "Username / Password is used for authentication.", @@ -1804,7 +1917,60 @@ "auth": { "description": "Auth configures how the Operator authenticates with the Doppler API", "properties": { + "oidcConfig": { + "description": "OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.", + "properties": { + "expirationSeconds": { + "default": 600, + "description": "ExpirationSeconds sets the ServiceAccount token validity duration.\nDefaults to 10 minutes.", + "format": "int64", + "type": "integer" + }, + "identity": { + "description": "Identity is the Doppler Service Account Identity ID configured for OIDC authentication.", + "type": "string" + }, + "serviceAccountRef": { + "description": "ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.", + "properties": { + "audiences": { + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "The name of the ServiceAccount resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "identity", + "serviceAccountRef" + ], + "type": "object", + "additionalProperties": false + }, "secretRef": { + "description": "SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.", "properties": { "dopplerToken": { "description": "The DopplerToken is used for authentication.\nSee https://docs.doppler.com/reference/api#authentication for auth token types.\nThe Key attribute defaults to dopplerToken if not specified.", @@ -1842,10 +2008,13 @@ "additionalProperties": false } }, - "required": [ - "secretRef" - ], "type": "object", + "x-kubernetes-validations": [ + { + "message": "Exactly one of 'secretRef' or 'oidcConfig' must be specified", + "rule": "(has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))" + } + ], "additionalProperties": false }, "config": { @@ -1891,6 +2060,7 @@ "properties": { "data": { "items": { + "description": "FakeProviderData defines a key-value pair with optional version for the fake provider.", "properties": { "key": { "type": "string" @@ -1912,6 +2082,7 @@ "type": "array" }, "validationResult": { + "description": "ValidationResult is defined type for the number of validation results.", "type": "integer" } }, @@ -1974,6 +2145,7 @@ "description": "Auth defines the information necessary to authenticate against GCP", "properties": { "secretRef": { + "description": "GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.", "properties": { "secretAccessKeySecretRef": { "description": "The SecretAccessKey is used for authentication", @@ -2008,6 +2180,7 @@ "additionalProperties": false }, "workloadIdentity": { + "description": "GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.", "properties": { "clusterLocation": { "description": "ClusterLocation is the location of the cluster\nIf not specified, it fetches information from the metadata server", @@ -2022,7 +2195,7 @@ "type": "string" }, "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", @@ -2202,7 +2375,7 @@ "additionalProperties": false }, "github": { - "description": "Github configures this store to push GitHub Action secrets using GitHub API provider.\nNote: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub", + "description": "Github configures this store to push GitHub Actions secrets using the GitHub API provider.\nNote: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub", "properties": { "appID": { "description": "appID specifies the Github APP that will be used to authenticate the client", @@ -2213,7 +2386,7 @@ "description": "auth configures how secret-manager authenticates with a Github instance.", "properties": { "privateKey": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2290,6 +2463,7 @@ "description": "Auth configures how secret-manager authenticates with a GitLab instance.", "properties": { "SecretRef": { + "description": "GitlabSecretRef contains the secret reference for GitLab authentication credentials.", "properties": { "accessToken": { "description": "AccessToken is used for authentication.", @@ -2414,7 +2588,7 @@ "minProperties": 1, "properties": { "containerAuth": { - "description": "IBM Container-based auth with IAM Trusted Profile.", + "description": "IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.", "properties": { "iamEndpoint": { "type": "string" @@ -2435,7 +2609,12 @@ "additionalProperties": false }, "secretRef": { + "description": "IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.", "properties": { + "iamEndpoint": { + "description": "The IAM endpoint used to obain a token", + "type": "string" + }, "secretApiKeySecretRef": { "description": "The SecretAccessKey is used for authentication", "properties": { @@ -2490,9 +2669,10 @@ "description": "Auth configures how the Operator authenticates with the Infisical API", "properties": { "awsAuthCredentials": { + "description": "AwsAuthCredentials represents the credentials for AWS authentication.", "properties": { "identityId": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2527,9 +2707,10 @@ "additionalProperties": false }, "azureAuthCredentials": { + "description": "AzureAuthCredentials represents the credentials for Azure authentication.", "properties": { "identityId": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2557,7 +2738,7 @@ "additionalProperties": false }, "resource": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2592,9 +2773,10 @@ "additionalProperties": false }, "gcpIamAuthCredentials": { + "description": "GcpIamAuthCredentials represents the credentials for GCP IAM authentication.", "properties": { "identityId": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2622,7 +2804,7 @@ "additionalProperties": false }, "serviceAccountKeyFilePath": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2658,9 +2840,10 @@ "additionalProperties": false }, "gcpIdTokenAuthCredentials": { + "description": "GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.", "properties": { "identityId": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2695,9 +2878,10 @@ "additionalProperties": false }, "jwtAuthCredentials": { + "description": "JwtAuthCredentials represents the credentials for JWT authentication.", "properties": { "identityId": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2725,7 +2909,7 @@ "additionalProperties": false }, "jwt": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2761,9 +2945,10 @@ "additionalProperties": false }, "kubernetesAuthCredentials": { + "description": "KubernetesAuthCredentials represents the credentials for Kubernetes authentication.", "properties": { "identityId": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2791,7 +2976,7 @@ "additionalProperties": false }, "serviceAccountTokenPath": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2826,9 +3011,10 @@ "additionalProperties": false }, "ldapAuthCredentials": { + "description": "LdapAuthCredentials represents the credentials for LDAP authentication.", "properties": { "identityId": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2856,7 +3042,7 @@ "additionalProperties": false }, "ldapPassword": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2884,7 +3070,7 @@ "additionalProperties": false }, "ldapUsername": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2921,9 +3107,10 @@ "additionalProperties": false }, "ociAuthCredentials": { + "description": "OciAuthCredentials represents the credentials for OCI authentication.", "properties": { "fingerprint": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2951,7 +3138,7 @@ "additionalProperties": false }, "identityId": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2979,7 +3166,7 @@ "additionalProperties": false }, "privateKey": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3007,7 +3194,7 @@ "additionalProperties": false }, "privateKeyPassphrase": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3035,7 +3222,7 @@ "additionalProperties": false }, "region": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3063,7 +3250,7 @@ "additionalProperties": false }, "tenancyId": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3091,7 +3278,7 @@ "additionalProperties": false }, "userId": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3131,9 +3318,10 @@ "additionalProperties": false }, "tokenAuthCredentials": { + "description": "TokenAuthCredentials represents the credentials for access token-based authentication.", "properties": { "accessToken": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3168,9 +3356,10 @@ "additionalProperties": false }, "universalAuthCredentials": { + "description": "UniversalAuthCredentials represents the client credentials for universal authentication.", "properties": { "clientId": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3198,7 +3387,7 @@ "additionalProperties": false }, "clientSecret": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3237,6 +3426,51 @@ "type": "object", "additionalProperties": false }, + "caBundle": { + "description": "CABundle is a PEM-encoded CA certificate bundle used to validate\nthe Infisical server's TLS certificate. Mutually exclusive with CAProvider.", + "format": "byte", + "type": "string" + }, + "caProvider": { + "description": "CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.\nThe certificate is used to validate the Infisical server's TLS certificate.\nMutually exclusive with CABundle.", + "properties": { + "key": { + "description": "The key where the CA certificate can be found in the Secret or ConfigMap.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[-._a-zA-Z0-9]+$", + "type": "string" + }, + "name": { + "description": "The name of the object located at the provider type.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "type": { + "description": "The type of provider to use such as \"Secret\", or \"ConfigMap\".", + "enum": [ + "Secret", + "ConfigMap" + ], + "type": "string" + } + }, + "required": [ + "name", + "type" + ], + "type": "object", + "additionalProperties": false + }, "hostAPI": { "default": "https://app.infisical.com/api", "description": "HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to \"https://app.infisical.com/api\".", @@ -3288,7 +3522,7 @@ "description": "KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider", "properties": { "authRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3338,7 +3572,7 @@ "description": "has both clientCert and clientKey as secretKeySelector", "properties": { "clientCert": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3366,7 +3600,7 @@ "additionalProperties": false }, "clientKey": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3432,7 +3666,7 @@ "description": "use static token to authenticate with", "properties": { "bearerToken": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -4030,12 +4264,13 @@ "additionalProperties": false }, "passbolt": { + "description": "PassboltProvider provides access to Passbolt secrets manager.\nSee: https://www.passbolt.com.", "properties": { "auth": { "description": "Auth defines the information necessary to authenticate against Passbolt Server", "properties": { "passwordSecretRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -4063,7 +4298,7 @@ "additionalProperties": false }, "privateKeySecretRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -4111,12 +4346,13 @@ "additionalProperties": false }, "passworddepot": { - "description": "Configures a store to sync secrets with a Password Depot instance.", + "description": "PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.", "properties": { "auth": { "description": "Auth configures how secret-manager authenticates with a Password Depot instance.", "properties": { "secretRef": { + "description": "PasswordDepotSecretRef contains the secret reference for Password Depot authentication.", "properties": { "credentials": { "description": "Username / Password is used for authentication.", @@ -4298,7 +4534,7 @@ "additionalProperties": false }, "scaleway": { - "description": "Scaleway", + "description": "Scaleway configures this store to sync secrets using the Scaleway provider.", "properties": { "accessKey": { "description": "AccessKey is the non-secret part of the api key.", @@ -4403,6 +4639,51 @@ "secretserver": { "description": "SecretServer configures this store to sync secrets using SecretServer provider\nhttps://docs.delinea.com/online-help/secret-server/start.htm", "properties": { + "caBundle": { + "description": "PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used\nif the ServerURL URL is using HTTPS protocol. If not set the system root certificates\nare used to validate the TLS connection.", + "format": "byte", + "type": "string" + }, + "caProvider": { + "description": "The provider for the CA bundle to use to validate Secret ServerURL certificate.", + "properties": { + "key": { + "description": "The key where the CA certificate can be found in the Secret or ConfigMap.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[-._a-zA-Z0-9]+$", + "type": "string" + }, + "name": { + "description": "The name of the object located at the provider type.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + }, + "type": { + "description": "The type of provider to use such as \"Secret\", or \"ConfigMap\".", + "enum": [ + "Secret", + "ConfigMap" + ], + "type": "string" + } + }, + "required": [ + "name", + "type" + ], + "type": "object", + "additionalProperties": false + }, "domain": { "description": "Domain is the secret server domain.", "type": "string" @@ -4508,7 +4789,7 @@ "type": "string" }, "clientSecretSecretRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -4566,7 +4847,7 @@ "additionalProperties": false }, "vault": { - "description": "Vault configures this store to sync secrets using Hashi provider", + "description": "Vault configures this store to sync secrets using the HashiCorp Vault provider.", "properties": { "auth": { "description": "Auth configures how secret-manager authenticates with the Vault server.", @@ -4715,6 +4996,152 @@ "type": "object", "additionalProperties": false }, + "gcp": { + "description": "Gcp authenticates with Vault using Google Cloud Platform authentication method\nGCP authentication method", + "properties": { + "location": { + "description": "Location optionally defines a location/region for the secret", + "type": "string" + }, + "path": { + "default": "gcp", + "description": "Path where the GCP auth method is enabled in Vault, e.g: \"gcp\"", + "type": "string" + }, + "projectID": { + "description": "Project ID of the Google Cloud Platform project", + "type": "string" + }, + "role": { + "description": "Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.", + "type": "string" + }, + "secretRef": { + "description": "Specify credentials in a Secret object", + "properties": { + "secretAccessKeySecretRef": { + "description": "The SecretAccessKey is used for authentication", + "properties": { + "key": { + "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[-._a-zA-Z0-9]+$", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "The namespace of the Secret resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "serviceAccountRef": { + "description": "ServiceAccountRef to a service account for impersonation", + "properties": { + "audiences": { + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "The name of the ServiceAccount resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "workloadIdentity": { + "description": "Specify a service account with Workload Identity", + "properties": { + "clusterLocation": { + "description": "ClusterLocation is the location of the cluster\nIf not specified, it fetches information from the metadata server", + "type": "string" + }, + "clusterName": { + "description": "ClusterName is the name of the cluster\nIf not specified, it fetches information from the metadata server", + "type": "string" + }, + "clusterProjectID": { + "description": "ClusterProjectID is the project ID of the cluster\nIf not specified, it fetches information from the metadata server", + "type": "string" + }, + "serviceAccountRef": { + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", + "properties": { + "audiences": { + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "The name of the ServiceAccount resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "serviceAccountRef" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "role" + ], + "type": "object", + "additionalProperties": false + }, "iam": { "description": "Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials\nAWS IAM authentication method", "properties": { @@ -4726,7 +5153,7 @@ "description": "Specify a service account with IRSA enabled", "properties": { "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", @@ -5479,7 +5906,7 @@ "description": "NTLMProtocol configures the store to use NTLM for auth", "properties": { "passwordSecret": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -5507,7 +5934,7 @@ "additionalProperties": false }, "usernameSecret": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -5620,6 +6047,7 @@ "secrets": { "description": "Secrets to fill in templates\nThese secrets will be passed to the templating function as key value pairs under the given name", "items": { + "description": "WebhookSecret defines a secret that will be passed to the webhook request.", "properties": { "name": { "description": "Name of this secret in templates", @@ -5673,7 +6101,6 @@ } }, "required": [ - "result", "url" ], "type": "object", @@ -5725,7 +6152,7 @@ "description": "The provider for the CA bundle to use to validate Yandex.Cloud server certificate.", "properties": { "certSecretRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -5836,7 +6263,7 @@ "description": "The provider for the CA bundle to use to validate Yandex.Cloud server certificate.", "properties": { "certSecretRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -5910,7 +6337,7 @@ "type": "integer" }, "retrySettings": { - "description": "Used to configure http retries if failed", + "description": "Used to configure HTTP retries on failures.", "properties": { "maxRetries": { "format": "int32", @@ -5939,6 +6366,7 @@ }, "conditions": { "items": { + "description": "SecretStoreStatusCondition contains condition information for a SecretStore.", "properties": { "lastTransitionTime": { "format": "date-time", @@ -5954,6 +6382,7 @@ "type": "string" }, "type": { + "description": "SecretStoreConditionType represents the condition of the SecretStore.", "type": "string" } }, diff --git a/external-secrets.io/secretstore_v1beta1.json b/external-secrets.io/secretstore_v1beta1.json index cdf07ec1..c63ef43e 100644 --- a/external-secrets.io/secretstore_v1beta1.json +++ b/external-secrets.io/secretstore_v1beta1.json @@ -16,7 +16,7 @@ "description": "SecretStoreSpec defines the desired state of SecretStore.", "properties": { "conditions": { - "description": "Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore", + "description": "Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.", "items": { "description": "ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in\nfor a ClusterSecretStore instance.", "properties": { @@ -219,7 +219,7 @@ "additionalProperties": false }, "accessType": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -247,7 +247,7 @@ "additionalProperties": false }, "accessTypeParam": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -342,7 +342,7 @@ "description": "AlibabaAuth contains a secretRef for credentials.", "properties": { "rrsa": { - "description": "Authenticate against Alibaba using RRSA.", + "description": "AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).", "properties": { "oidcProviderArn": { "type": "string" @@ -463,10 +463,10 @@ "description": "Auth defines the information necessary to authenticate against AWS\nif not set aws sdk will infer credentials from your environment\nsee: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials", "properties": { "jwt": { - "description": "Authenticate against AWS using service account tokens.", + "description": "AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.", "properties": { "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", @@ -638,6 +638,7 @@ "sessionTags": { "description": "AWS STS assume role session tags", "items": { + "description": "Tag defines a tag key and value for AWS resources.", "properties": { "key": { "type": "string" @@ -1714,6 +1715,7 @@ "description": "Auth configures how secret-manager authenticates with a Device42 instance.", "properties": { "secretRef": { + "description": "Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.", "properties": { "credentials": { "description": "Username / Password is used for authentication.", @@ -1773,6 +1775,7 @@ "description": "Auth configures how the Operator authenticates with the Doppler API", "properties": { "secretRef": { + "description": "DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.", "properties": { "dopplerToken": { "description": "The DopplerToken is used for authentication.\nSee https://docs.doppler.com/reference/api#authentication for auth token types.\nThe Key attribute defaults to dopplerToken if not specified.", @@ -1859,6 +1862,7 @@ "properties": { "data": { "items": { + "description": "FakeProviderData defines a key-value pair for the fake provider used in testing.", "properties": { "key": { "type": "string" @@ -1939,6 +1943,7 @@ "description": "Auth defines the information necessary to authenticate against GCP", "properties": { "secretRef": { + "description": "GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.", "properties": { "secretAccessKeySecretRef": { "description": "The SecretAccessKey is used for authentication", @@ -1973,6 +1978,7 @@ "additionalProperties": false }, "workloadIdentity": { + "description": "GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.", "properties": { "clusterLocation": { "description": "ClusterLocation is the location of the cluster\nIf not specified, it fetches information from the metadata server", @@ -1987,7 +1993,7 @@ "type": "string" }, "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", @@ -2041,7 +2047,7 @@ "additionalProperties": false }, "github": { - "description": "Github configures this store to push Github Action secrets using Github API provider", + "description": "Github configures this store to push GitHub Actions secrets using the GitHub API provider.", "properties": { "appID": { "description": "appID specifies the Github APP that will be used to authenticate the client", @@ -2052,7 +2058,7 @@ "description": "auth configures how secret-manager authenticates with a Github instance.", "properties": { "privateKey": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2129,6 +2135,7 @@ "description": "Auth configures how secret-manager authenticates with a GitLab instance.", "properties": { "SecretRef": { + "description": "GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.", "properties": { "accessToken": { "description": "AccessToken is used for authentication.", @@ -2253,7 +2260,7 @@ "minProperties": 1, "properties": { "containerAuth": { - "description": "IBM Container-based auth with IAM Trusted Profile.", + "description": "IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.", "properties": { "iamEndpoint": { "type": "string" @@ -2274,6 +2281,7 @@ "additionalProperties": false }, "secretRef": { + "description": "IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.", "properties": { "secretApiKeySecretRef": { "description": "The SecretAccessKey is used for authentication", @@ -2329,9 +2337,10 @@ "description": "Auth configures how the Operator authenticates with the Infisical API", "properties": { "universalAuthCredentials": { + "description": "UniversalAuthCredentials defines the credentials for Infisical Universal Auth.", "properties": { "clientId": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2359,7 +2368,7 @@ "additionalProperties": false }, "clientSecret": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2449,7 +2458,7 @@ "description": "KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider", "properties": { "authRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2499,7 +2508,7 @@ "description": "has both clientCert and clientKey as secretKeySelector", "properties": { "clientCert": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2527,7 +2536,7 @@ "additionalProperties": false }, "clientKey": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -2593,7 +2602,7 @@ "description": "use static token to authenticate with", "properties": { "bearerToken": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3047,12 +3056,13 @@ "additionalProperties": false }, "passbolt": { + "description": "PassboltProvider defines configuration for the Passbolt provider.", "properties": { "auth": { "description": "Auth defines the information necessary to authenticate against Passbolt Server", "properties": { "passwordSecretRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "PasswordSecretRef is a reference to the secret containing the Passbolt password", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3080,7 +3090,7 @@ "additionalProperties": false }, "privateKeySecretRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "PrivateKeySecretRef is a reference to the secret containing the Passbolt private key", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3128,12 +3138,13 @@ "additionalProperties": false }, "passworddepot": { - "description": "Configures a store to sync secrets with a Password Depot instance.", + "description": "PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.", "properties": { "auth": { "description": "Auth configures how secret-manager authenticates with a Password Depot instance.", "properties": { "secretRef": { + "description": "PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.", "properties": { "credentials": { "description": "Username / Password is used for authentication.", @@ -3315,7 +3326,7 @@ "additionalProperties": false }, "scaleway": { - "description": "Scaleway", + "description": "Scaleway configures this store to sync secrets using the Scaleway provider.", "properties": { "accessKey": { "description": "AccessKey is the non-secret part of the api key.", @@ -3521,7 +3532,7 @@ "type": "string" }, "clientSecretSecretRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -3579,7 +3590,7 @@ "additionalProperties": false }, "vault": { - "description": "Vault configures this store to sync secrets using Hashi provider", + "description": "Vault configures this store to sync secrets using the HashiCorp Vault provider.", "properties": { "auth": { "description": "Auth configures how secret-manager authenticates with the Vault server.", @@ -3734,7 +3745,7 @@ "description": "Specify a service account with IRSA enabled", "properties": { "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", @@ -4360,7 +4371,7 @@ "description": "NTLMProtocol configures the store to use NTLM for auth", "properties": { "passwordSecret": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -4388,7 +4399,7 @@ "additionalProperties": false }, "usernameSecret": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -4501,6 +4512,7 @@ "secrets": { "description": "Secrets to fill in templates\nThese secrets will be passed to the templating function as key value pairs under the given name", "items": { + "description": "WebhookSecret defines a secret to be used in webhook templates.", "properties": { "name": { "description": "Name of this secret in templates", @@ -4606,7 +4618,7 @@ "description": "The provider for the CA bundle to use to validate Yandex.Cloud server certificate.", "properties": { "certSecretRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -4690,7 +4702,7 @@ "description": "The provider for the CA bundle to use to validate Yandex.Cloud server certificate.", "properties": { "certSecretRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -4737,13 +4749,15 @@ "type": "integer" }, "retrySettings": { - "description": "Used to configure http retries if failed", + "description": "Used to configure HTTP retries on failures.", "properties": { "maxRetries": { + "description": "MaxRetries is the maximum number of retry attempts.", "format": "int32", "type": "integer" }, "retryInterval": { + "description": "RetryInterval is the interval between retry attempts.", "type": "string" } }, @@ -4766,6 +4780,7 @@ }, "conditions": { "items": { + "description": "SecretStoreStatusCondition defines the observed condition of the SecretStore.", "properties": { "lastTransitionTime": { "format": "date-time", @@ -4781,6 +4796,7 @@ "type": "string" }, "type": { + "description": "SecretStoreConditionType represents the condition type of the SecretStore.", "type": "string" } }, diff --git a/generators.external-secrets.io/acraccesstoken_v1alpha1.json b/generators.external-secrets.io/acraccesstoken_v1alpha1.json index 6553bc58..2122dad7 100644 --- a/generators.external-secrets.io/acraccesstoken_v1alpha1.json +++ b/generators.external-secrets.io/acraccesstoken_v1alpha1.json @@ -16,6 +16,7 @@ "description": "ACRAccessTokenSpec defines how to generate the access token\ne.g. how to authenticate and which registry to use.\nsee: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview", "properties": { "auth": { + "description": "ACRAuth defines the authentication methods for Azure Container Registry.", "properties": { "managedIdentity": { "description": "ManagedIdentity uses Azure Managed Identity to authenticate with Azure.", @@ -32,7 +33,7 @@ "description": "ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.", "properties": { "secretRef": { - "description": "Configuration used to authenticate with Azure using static\ncredentials stored in a Kind=Secret.", + "description": "AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.\nIt uses static credentials stored in a Kind=Secret.", "properties": { "clientId": { "description": "The Azure clientId of the service principle used for authentication.", @@ -145,12 +146,13 @@ }, "environmentType": { "default": "PublicCloud", - "description": "EnvironmentType specifies the Azure cloud environment endpoints to use for\nconnecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.\nThe following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152\nPublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud", + "description": "EnvironmentType specifies the Azure cloud environment endpoints to use for\nconnecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.\nThe following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152\nPublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud", "enum": [ "PublicCloud", "USGovernmentCloud", "ChinaCloud", - "GermanCloud" + "GermanCloud", + "AzureStackCloud" ], "type": "string" }, diff --git a/generators.external-secrets.io/cloudsmithaccesstoken_v1alpha1.json b/generators.external-secrets.io/cloudsmithaccesstoken_v1alpha1.json new file mode 100644 index 00000000..89f0bd02 --- /dev/null +++ b/generators.external-secrets.io/cloudsmithaccesstoken_v1alpha1.json @@ -0,0 +1,72 @@ +{ + "description": "CloudsmithAccessToken generates Cloudsmith access token using OIDC authentication", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.", + "properties": { + "apiUrl": { + "description": "APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.", + "type": "string" + }, + "orgSlug": { + "description": "OrgSlug is the organization slug in Cloudsmith", + "type": "string" + }, + "serviceAccountRef": { + "description": "Name of the service account you are federating with", + "properties": { + "audiences": { + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "The name of the ServiceAccount resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "serviceSlug": { + "description": "ServiceSlug is the service slug in Cloudsmith for OIDC authentication", + "type": "string" + } + }, + "required": [ + "orgSlug", + "serviceAccountRef", + "serviceSlug" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/generators.external-secrets.io/clustergenerator_v1alpha1.json b/generators.external-secrets.io/clustergenerator_v1alpha1.json index a2d341eb..51aedb99 100644 --- a/generators.external-secrets.io/clustergenerator_v1alpha1.json +++ b/generators.external-secrets.io/clustergenerator_v1alpha1.json @@ -13,6 +13,7 @@ "type": "object" }, "spec": { + "description": "ClusterGeneratorSpec defines the desired state of a ClusterGenerator.", "properties": { "generator": { "description": "Generator the spec for this generator, must match the kind.", @@ -23,6 +24,7 @@ "description": "ACRAccessTokenSpec defines how to generate the access token\ne.g. how to authenticate and which registry to use.\nsee: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview", "properties": { "auth": { + "description": "ACRAuth defines the authentication methods for Azure Container Registry.", "properties": { "managedIdentity": { "description": "ManagedIdentity uses Azure Managed Identity to authenticate with Azure.", @@ -39,7 +41,7 @@ "description": "ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.", "properties": { "secretRef": { - "description": "Configuration used to authenticate with Azure using static\ncredentials stored in a Kind=Secret.", + "description": "AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.\nIt uses static credentials stored in a Kind=Secret.", "properties": { "clientId": { "description": "The Azure clientId of the service principle used for authentication.", @@ -152,12 +154,13 @@ }, "environmentType": { "default": "PublicCloud", - "description": "EnvironmentType specifies the Azure cloud environment endpoints to use for\nconnecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.\nThe following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152\nPublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud", + "description": "EnvironmentType specifies the Azure cloud environment endpoints to use for\nconnecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.\nThe following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152\nPublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud", "enum": [ "PublicCloud", "USGovernmentCloud", "ChinaCloud", - "GermanCloud" + "GermanCloud", + "AzureStackCloud" ], "type": "string" }, @@ -181,16 +184,72 @@ "type": "object", "additionalProperties": false }, + "cloudsmithAccessTokenSpec": { + "description": "CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.", + "properties": { + "apiUrl": { + "description": "APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.", + "type": "string" + }, + "orgSlug": { + "description": "OrgSlug is the organization slug in Cloudsmith", + "type": "string" + }, + "serviceAccountRef": { + "description": "Name of the service account you are federating with", + "properties": { + "audiences": { + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "The name of the ServiceAccount resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "serviceSlug": { + "description": "ServiceSlug is the service slug in Cloudsmith for OIDC authentication", + "type": "string" + } + }, + "required": [ + "orgSlug", + "serviceAccountRef", + "serviceSlug" + ], + "type": "object", + "additionalProperties": false + }, "ecrAuthorizationTokenSpec": { + "description": "ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.", "properties": { "auth": { "description": "Auth defines how to authenticate with AWS", "properties": { "jwt": { - "description": "Authenticate against AWS using service account tokens.", + "description": "AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.", "properties": { "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", @@ -357,11 +416,13 @@ "additionalProperties": false }, "gcrAccessTokenSpec": { + "description": "GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.", "properties": { "auth": { "description": "Auth defines the means for authenticating with GCP", "properties": { "secretRef": { + "description": "GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.", "properties": { "secretAccessKeySecretRef": { "description": "The SecretAccessKey is used for authentication", @@ -396,6 +457,7 @@ "additionalProperties": false }, "workloadIdentity": { + "description": "GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.", "properties": { "clusterLocation": { "type": "string" @@ -407,7 +469,7 @@ "type": "string" }, "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", @@ -445,6 +507,127 @@ ], "type": "object", "additionalProperties": false + }, + "workloadIdentityFederation": { + "description": "GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.", + "properties": { + "audience": { + "description": "audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.\nIf specified, Audience found in the external account credential config will be overridden with the configured value.\naudience must be provided when serviceAccountRef or awsSecurityCredentials is configured.", + "type": "string" + }, + "awsSecurityCredentials": { + "description": "awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,\nwhen using the AWS metadata server is not an option.", + "properties": { + "awsCredentialsSecretRef": { + "description": "awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.\nSecret should be created with below names for keys\n- aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.\n- aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.\n- aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.", + "properties": { + "name": { + "description": "name of the secret.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "namespace in which the secret exists. If empty, secret will looked up in local namespace.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "region": { + "description": "region is for configuring the AWS region to be used.", + "example": "ap-south-1", + "maxLength": 50, + "minLength": 1, + "pattern": "^[a-z0-9-]+$", + "type": "string" + } + }, + "required": [ + "awsCredentialsSecretRef", + "region" + ], + "type": "object", + "additionalProperties": false + }, + "credConfig": { + "description": "credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.\nFor using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead\nserviceAccountRef must be used by providing operators service account details.", + "properties": { + "key": { + "description": "key name holding the external account credential config.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[-._a-zA-Z0-9]+$", + "type": "string" + }, + "name": { + "description": "name of the configmap.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "namespace in which the configmap exists. If empty, configmap will looked up in local namespace.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "key", + "name" + ], + "type": "object", + "additionalProperties": false + }, + "externalTokenEndpoint": { + "description": "externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the\ncredential_source.url in the provided credConfig. This field is merely to double-check the external token source\nURL is having the expected value.", + "type": "string" + }, + "serviceAccountRef": { + "description": "serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,\nwhen Kubernetes is configured as provider in workload identity pool.", + "properties": { + "audiences": { + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "The name of the ServiceAccount resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false } }, "type": "object", @@ -463,6 +646,7 @@ "additionalProperties": false }, "githubAccessTokenSpec": { + "description": "GithubAccessTokenSpec defines the desired state to generate a GitHub access token.", "properties": { "appID": { "type": "string" @@ -471,9 +655,10 @@ "description": "Auth configures how ESO authenticates with a Github instance.", "properties": { "privateKey": { + "description": "GithubSecretRef references a secret containing GitHub credentials.", "properties": { "secretRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -532,7 +717,7 @@ "type": "array" }, "url": { - "description": "URL configures the Github instance URL. Defaults to https://github.com/.", + "description": "URL configures the GitHub instance URL. Defaults to https://github.com/.", "type": "string" } }, @@ -710,6 +895,18 @@ "description": "Digits specifies the number of digits in the generated\npassword. If omitted it defaults to 25% of the length of the password", "type": "integer" }, + "encoding": { + "default": "raw", + "description": "Encoding specifies the encoding of the generated password.\nValid values are:\n- \"raw\" (default): no encoding\n- \"base64\": standard base64 encoding\n- \"base64url\": base64url encoding\n- \"base32\": base32 encoding\n- \"hex\": hexadecimal encoding", + "enum": [ + "base64", + "base64url", + "base32", + "hex", + "raw" + ], + "type": "string" + }, "length": { "default": 24, "description": "Length of the password to be generated.\nDefaults to 24", @@ -720,6 +917,14 @@ "description": "Set NoUpper to disable uppercase characters", "type": "boolean" }, + "secretKeys": { + "description": "SecretKeys defines the keys that will be populated with generated passwords.\nDefaults to \"password\" when not set.", + "items": { + "type": "string" + }, + "minItems": 1, + "type": "array" + }, "symbolCharacters": { "description": "SymbolCharacters specifies the special characters that should be used\nin the generated password.", "type": "string" @@ -738,6 +943,7 @@ "additionalProperties": false }, "quayAccessTokenSpec": { + "description": "QuayAccessTokenSpec defines the desired state to generate a Quay access token.", "properties": { "robotAccount": { "description": "Name of the robot account you are federating with", @@ -786,16 +992,44 @@ "type": "object", "additionalProperties": false }, + "sshKeySpec": { + "description": "SSHKeySpec controls the behavior of the ssh key generator.", + "properties": { + "comment": { + "description": "Comment specifies an optional comment for the SSH key", + "type": "string" + }, + "keySize": { + "description": "KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).\nFor RSA keys: 2048, 3072, 4096\nFor ECDSA keys: 256, 384, 521\nIgnored for ed25519 keys", + "maximum": 8192, + "minimum": 256, + "type": "integer" + }, + "keyType": { + "default": "rsa", + "description": "KeyType specifies the SSH key type (rsa, ecdsa, ed25519)", + "enum": [ + "rsa", + "ecdsa", + "ed25519" + ], + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, "stsSessionTokenSpec": { + "description": "STSSessionTokenSpec defines the desired state to generate an AWS STS session token.", "properties": { "auth": { "description": "Auth defines how to authenticate with AWS", "properties": { "jwt": { - "description": "Authenticate against AWS using service account tokens.", + "description": "AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.", "properties": { "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", @@ -963,6 +1197,7 @@ "type": "object" }, "vaultDynamicSecretSpec": { + "description": "VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.", "properties": { "allowEmptyResponse": { "default": false, @@ -1098,6 +1333,11 @@ "type": "object", "additionalProperties": false }, + "path": { + "default": "cert", + "description": "Path where the Certificate authentication backend is mounted\nin Vault, e.g: \"cert\"", + "type": "string" + }, "secretRef": { "description": "SecretRef to a key in a Secret resource containing client private key to\nauthenticate with Vault using the Cert authentication method", "properties": { @@ -1130,6 +1370,152 @@ "type": "object", "additionalProperties": false }, + "gcp": { + "description": "Gcp authenticates with Vault using Google Cloud Platform authentication method\nGCP authentication method", + "properties": { + "location": { + "description": "Location optionally defines a location/region for the secret", + "type": "string" + }, + "path": { + "default": "gcp", + "description": "Path where the GCP auth method is enabled in Vault, e.g: \"gcp\"", + "type": "string" + }, + "projectID": { + "description": "Project ID of the Google Cloud Platform project", + "type": "string" + }, + "role": { + "description": "Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.", + "type": "string" + }, + "secretRef": { + "description": "Specify credentials in a Secret object", + "properties": { + "secretAccessKeySecretRef": { + "description": "The SecretAccessKey is used for authentication", + "properties": { + "key": { + "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[-._a-zA-Z0-9]+$", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "The namespace of the Secret resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "serviceAccountRef": { + "description": "ServiceAccountRef to a service account for impersonation", + "properties": { + "audiences": { + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "The name of the ServiceAccount resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "workloadIdentity": { + "description": "Specify a service account with Workload Identity", + "properties": { + "clusterLocation": { + "description": "ClusterLocation is the location of the cluster\nIf not specified, it fetches information from the metadata server", + "type": "string" + }, + "clusterName": { + "description": "ClusterName is the name of the cluster\nIf not specified, it fetches information from the metadata server", + "type": "string" + }, + "clusterProjectID": { + "description": "ClusterProjectID is the project ID of the cluster\nIf not specified, it fetches information from the metadata server", + "type": "string" + }, + "serviceAccountRef": { + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", + "properties": { + "audiences": { + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "The name of the ServiceAccount resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "serviceAccountRef" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "role" + ], + "type": "object", + "additionalProperties": false + }, "iam": { "description": "Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials\nAWS IAM authentication method", "properties": { @@ -1141,7 +1527,7 @@ "description": "Specify a service account with IRSA enabled", "properties": { "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", @@ -1649,6 +2035,17 @@ "type": "object", "additionalProperties": false }, + "checkAndSet": { + "description": "CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.\nOnly applies to Vault KV v2 stores. When enabled, write operations must include\nthe current version of the secret to prevent unintentional overwrites.", + "properties": { + "required": { + "description": "Required when true, all write operations must include a check-and-set parameter.\nThis helps prevent unintentional overwrites of secrets.", + "type": "boolean" + } + }, + "type": "object", + "additionalProperties": false + }, "forwardInconsistent": { "description": "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault\nleader instead of simply retrying within a loop. This can increase performance if\nthe option is enabled serverside.\nhttps://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header", "type": "boolean" @@ -1757,7 +2154,7 @@ }, "resultType": { "default": "Data", - "description": "Result type defines which data is returned from the generator.\nBy default it is the \"data\" section of the Vault API response.\nWhen using e.g. /auth/token/create the \"data\" section is empty but\nthe \"auth\" section contains the generated token.\nPlease refer to the vault docs regarding the result data structure.\nAdditionally, accessing the raw response is possibly by using \"Raw\" result type.", + "description": "Result type defines which data is returned from the generator.\nBy default, it is the \"data\" section of the Vault API response.\nWhen using e.g. /auth/token/create the \"data\" section is empty but\nthe \"auth\" section contains the generated token.\nPlease refer to the vault docs regarding the result data structure.\nAdditionally, accessing the raw response is possibly by using \"Raw\" result type.", "enum": [ "Data", "Auth", @@ -1799,7 +2196,7 @@ "description": "NTLMProtocol configures the store to use NTLM for auth", "properties": { "passwordSecret": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -1827,7 +2224,7 @@ "additionalProperties": false }, "usernameSecret": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -1940,6 +2337,7 @@ "secrets": { "description": "Secrets to fill in templates\nThese secrets will be passed to the templating function as key value pairs under the given name", "items": { + "description": "WebhookSecret defines a secret reference that will be used in webhook templates.", "properties": { "name": { "description": "Name of this secret in templates", @@ -2000,12 +2398,14 @@ "description": "Kind the kind of this generator.", "enum": [ "ACRAccessToken", + "CloudsmithAccessToken", "ECRAuthorizationToken", "Fake", "GCRAccessToken", "GithubAccessToken", "QuayAccessToken", "Password", + "SSHKey", "STSSessionToken", "UUID", "VaultDynamicSecret", diff --git a/generators.external-secrets.io/ecrauthorizationtoken_v1alpha1.json b/generators.external-secrets.io/ecrauthorizationtoken_v1alpha1.json index 3ebe0a0a..6a6277ca 100644 --- a/generators.external-secrets.io/ecrauthorizationtoken_v1alpha1.json +++ b/generators.external-secrets.io/ecrauthorizationtoken_v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an\nauthorization token.\nThe authorization token is valid for 12 hours.\nThe authorizationToken returned is a base64 encoded string that can be decoded\nand used in a docker login command to authenticate to a registry.\nFor more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.", + "description": "ECRAuthorizationToken uses the GetAuthorizationToken API to retrieve an authorization token.\nThe authorization token is valid for 12 hours.\nThe authorizationToken returned is a base64 encoded string that can be decoded\nand used in a docker login command to authenticate to a registry.\nFor more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -13,15 +13,16 @@ "type": "object" }, "spec": { + "description": "ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.", "properties": { "auth": { "description": "Auth defines how to authenticate with AWS", "properties": { "jwt": { - "description": "Authenticate against AWS using service account tokens.", + "description": "AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.", "properties": { "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", diff --git a/generators.external-secrets.io/gcraccesstoken_v1alpha1.json b/generators.external-secrets.io/gcraccesstoken_v1alpha1.json index d7bd3dbc..efbaa388 100644 --- a/generators.external-secrets.io/gcraccesstoken_v1alpha1.json +++ b/generators.external-secrets.io/gcraccesstoken_v1alpha1.json @@ -13,11 +13,13 @@ "type": "object" }, "spec": { + "description": "GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.", "properties": { "auth": { "description": "Auth defines the means for authenticating with GCP", "properties": { "secretRef": { + "description": "GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.", "properties": { "secretAccessKeySecretRef": { "description": "The SecretAccessKey is used for authentication", @@ -52,6 +54,7 @@ "additionalProperties": false }, "workloadIdentity": { + "description": "GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.", "properties": { "clusterLocation": { "type": "string" @@ -63,7 +66,7 @@ "type": "string" }, "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", @@ -101,6 +104,127 @@ ], "type": "object", "additionalProperties": false + }, + "workloadIdentityFederation": { + "description": "GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.", + "properties": { + "audience": { + "description": "audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.\nIf specified, Audience found in the external account credential config will be overridden with the configured value.\naudience must be provided when serviceAccountRef or awsSecurityCredentials is configured.", + "type": "string" + }, + "awsSecurityCredentials": { + "description": "awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,\nwhen using the AWS metadata server is not an option.", + "properties": { + "awsCredentialsSecretRef": { + "description": "awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.\nSecret should be created with below names for keys\n- aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.\n- aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.\n- aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.", + "properties": { + "name": { + "description": "name of the secret.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "namespace in which the secret exists. If empty, secret will looked up in local namespace.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "region": { + "description": "region is for configuring the AWS region to be used.", + "example": "ap-south-1", + "maxLength": 50, + "minLength": 1, + "pattern": "^[a-z0-9-]+$", + "type": "string" + } + }, + "required": [ + "awsCredentialsSecretRef", + "region" + ], + "type": "object", + "additionalProperties": false + }, + "credConfig": { + "description": "credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.\nFor using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead\nserviceAccountRef must be used by providing operators service account details.", + "properties": { + "key": { + "description": "key name holding the external account credential config.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[-._a-zA-Z0-9]+$", + "type": "string" + }, + "name": { + "description": "name of the configmap.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "namespace in which the configmap exists. If empty, configmap will looked up in local namespace.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "key", + "name" + ], + "type": "object", + "additionalProperties": false + }, + "externalTokenEndpoint": { + "description": "externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the\ncredential_source.url in the provided credConfig. This field is merely to double-check the external token source\nURL is having the expected value.", + "type": "string" + }, + "serviceAccountRef": { + "description": "serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,\nwhen Kubernetes is configured as provider in workload identity pool.", + "properties": { + "audiences": { + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "The name of the ServiceAccount resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false } }, "type": "object", diff --git a/generators.external-secrets.io/generatorstate_v1alpha1.json b/generators.external-secrets.io/generatorstate_v1alpha1.json index 44d72a81..e0ae61e8 100644 --- a/generators.external-secrets.io/generatorstate_v1alpha1.json +++ b/generators.external-secrets.io/generatorstate_v1alpha1.json @@ -1,4 +1,5 @@ { + "description": "GeneratorState represents the state created and managed by a generator resource.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -12,6 +13,7 @@ "type": "object" }, "spec": { + "description": "GeneratorStateSpec defines the desired state of a generator state resource.", "properties": { "garbageCollectionDeadline": { "description": "GarbageCollectionDeadline is the time after which the generator state\nwill be deleted.\nIt is set by the controller which creates the generator state and\ncan be set configured by the user.\nIf the garbage collection deadline is not set the generator state will not be deleted.", @@ -35,9 +37,11 @@ "additionalProperties": false }, "status": { + "description": "GeneratorStateStatus defines the observed state of a generator state resource.", "properties": { "conditions": { "items": { + "description": "GeneratorStateStatusCondition represents the observed condition of a generator state.", "properties": { "lastTransitionTime": { "format": "date-time", @@ -53,6 +57,7 @@ "type": "string" }, "type": { + "description": "GeneratorStateConditionType represents the type of condition for a generator state.", "type": "string" } }, diff --git a/generators.external-secrets.io/githubaccesstoken_v1alpha1.json b/generators.external-secrets.io/githubaccesstoken_v1alpha1.json index 7b25f6ed..90e44b8c 100644 --- a/generators.external-secrets.io/githubaccesstoken_v1alpha1.json +++ b/generators.external-secrets.io/githubaccesstoken_v1alpha1.json @@ -13,6 +13,7 @@ "type": "object" }, "spec": { + "description": "GithubAccessTokenSpec defines the desired state to generate a GitHub access token.", "properties": { "appID": { "type": "string" @@ -21,9 +22,10 @@ "description": "Auth configures how ESO authenticates with a Github instance.", "properties": { "privateKey": { + "description": "GithubSecretRef references a secret containing GitHub credentials.", "properties": { "secretRef": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -82,7 +84,7 @@ "type": "array" }, "url": { - "description": "URL configures the Github instance URL. Defaults to https://github.com/.", + "description": "URL configures the GitHub instance URL. Defaults to https://github.com/.", "type": "string" } }, diff --git a/generators.external-secrets.io/grafana_v1alpha1.json b/generators.external-secrets.io/grafana_v1alpha1.json index b2e3164f..e06f3173 100644 --- a/generators.external-secrets.io/grafana_v1alpha1.json +++ b/generators.external-secrets.io/grafana_v1alpha1.json @@ -1,4 +1,5 @@ { + "description": "Grafana represents a generator for Grafana service account tokens.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", diff --git a/generators.external-secrets.io/password_v1alpha1.json b/generators.external-secrets.io/password_v1alpha1.json index 327d1863..440385fa 100644 --- a/generators.external-secrets.io/password_v1alpha1.json +++ b/generators.external-secrets.io/password_v1alpha1.json @@ -24,6 +24,18 @@ "description": "Digits specifies the number of digits in the generated\npassword. If omitted it defaults to 25% of the length of the password", "type": "integer" }, + "encoding": { + "default": "raw", + "description": "Encoding specifies the encoding of the generated password.\nValid values are:\n- \"raw\" (default): no encoding\n- \"base64\": standard base64 encoding\n- \"base64url\": base64url encoding\n- \"base32\": base32 encoding\n- \"hex\": hexadecimal encoding", + "enum": [ + "base64", + "base64url", + "base32", + "hex", + "raw" + ], + "type": "string" + }, "length": { "default": 24, "description": "Length of the password to be generated.\nDefaults to 24", @@ -34,6 +46,14 @@ "description": "Set NoUpper to disable uppercase characters", "type": "boolean" }, + "secretKeys": { + "description": "SecretKeys defines the keys that will be populated with generated passwords.\nDefaults to \"password\" when not set.", + "items": { + "type": "string" + }, + "minItems": 1, + "type": "array" + }, "symbolCharacters": { "description": "SymbolCharacters specifies the special characters that should be used\nin the generated password.", "type": "string" diff --git a/generators.external-secrets.io/quayaccesstoken_v1alpha1.json b/generators.external-secrets.io/quayaccesstoken_v1alpha1.json index ebf62067..dc963a68 100644 --- a/generators.external-secrets.io/quayaccesstoken_v1alpha1.json +++ b/generators.external-secrets.io/quayaccesstoken_v1alpha1.json @@ -13,6 +13,7 @@ "type": "object" }, "spec": { + "description": "QuayAccessTokenSpec defines the desired state to generate a Quay access token.", "properties": { "robotAccount": { "description": "Name of the robot account you are federating with", diff --git a/generators.external-secrets.io/sshkey_v1alpha1.json b/generators.external-secrets.io/sshkey_v1alpha1.json new file mode 100644 index 00000000..a12eaa08 --- /dev/null +++ b/generators.external-secrets.io/sshkey_v1alpha1.json @@ -0,0 +1,44 @@ +{ + "description": "SSHKey generates SSH key pairs.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "SSHKeySpec controls the behavior of the ssh key generator.", + "properties": { + "comment": { + "description": "Comment specifies an optional comment for the SSH key", + "type": "string" + }, + "keySize": { + "description": "KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).\nFor RSA keys: 2048, 3072, 4096\nFor ECDSA keys: 256, 384, 521\nIgnored for ed25519 keys", + "maximum": 8192, + "minimum": 256, + "type": "integer" + }, + "keyType": { + "default": "rsa", + "description": "KeyType specifies the SSH key type (rsa, ecdsa, ed25519)", + "enum": [ + "rsa", + "ecdsa", + "ed25519" + ], + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/generators.external-secrets.io/stssessiontoken_v1alpha1.json b/generators.external-secrets.io/stssessiontoken_v1alpha1.json index fff4e7c6..77672f7c 100644 --- a/generators.external-secrets.io/stssessiontoken_v1alpha1.json +++ b/generators.external-secrets.io/stssessiontoken_v1alpha1.json @@ -13,15 +13,16 @@ "type": "object" }, "spec": { + "description": "STSSessionTokenSpec defines the desired state to generate an AWS STS session token.", "properties": { "auth": { "description": "Auth defines how to authenticate with AWS", "properties": { "jwt": { - "description": "Authenticate against AWS using service account tokens.", + "description": "AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.", "properties": { "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", diff --git a/generators.external-secrets.io/vaultdynamicsecret_v1alpha1.json b/generators.external-secrets.io/vaultdynamicsecret_v1alpha1.json index 9f16f39f..88c034ce 100644 --- a/generators.external-secrets.io/vaultdynamicsecret_v1alpha1.json +++ b/generators.external-secrets.io/vaultdynamicsecret_v1alpha1.json @@ -1,4 +1,5 @@ { + "description": "VaultDynamicSecret represents a generator that can create dynamic secrets from HashiCorp Vault.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -12,6 +13,7 @@ "type": "object" }, "spec": { + "description": "VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.", "properties": { "allowEmptyResponse": { "default": false, @@ -147,6 +149,11 @@ "type": "object", "additionalProperties": false }, + "path": { + "default": "cert", + "description": "Path where the Certificate authentication backend is mounted\nin Vault, e.g: \"cert\"", + "type": "string" + }, "secretRef": { "description": "SecretRef to a key in a Secret resource containing client private key to\nauthenticate with Vault using the Cert authentication method", "properties": { @@ -179,6 +186,152 @@ "type": "object", "additionalProperties": false }, + "gcp": { + "description": "Gcp authenticates with Vault using Google Cloud Platform authentication method\nGCP authentication method", + "properties": { + "location": { + "description": "Location optionally defines a location/region for the secret", + "type": "string" + }, + "path": { + "default": "gcp", + "description": "Path where the GCP auth method is enabled in Vault, e.g: \"gcp\"", + "type": "string" + }, + "projectID": { + "description": "Project ID of the Google Cloud Platform project", + "type": "string" + }, + "role": { + "description": "Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.", + "type": "string" + }, + "secretRef": { + "description": "Specify credentials in a Secret object", + "properties": { + "secretAccessKeySecretRef": { + "description": "The SecretAccessKey is used for authentication", + "properties": { + "key": { + "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[-._a-zA-Z0-9]+$", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "The namespace of the Secret resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "serviceAccountRef": { + "description": "ServiceAccountRef to a service account for impersonation", + "properties": { + "audiences": { + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "The name of the ServiceAccount resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "workloadIdentity": { + "description": "Specify a service account with Workload Identity", + "properties": { + "clusterLocation": { + "description": "ClusterLocation is the location of the cluster\nIf not specified, it fetches information from the metadata server", + "type": "string" + }, + "clusterName": { + "description": "ClusterName is the name of the cluster\nIf not specified, it fetches information from the metadata server", + "type": "string" + }, + "clusterProjectID": { + "description": "ClusterProjectID is the project ID of the cluster\nIf not specified, it fetches information from the metadata server", + "type": "string" + }, + "serviceAccountRef": { + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", + "properties": { + "audiences": { + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "The name of the ServiceAccount resource being referred to.", + "maxLength": 253, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to.\nIgnored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.", + "maxLength": 63, + "minLength": 1, + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "serviceAccountRef" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "role" + ], + "type": "object", + "additionalProperties": false + }, "iam": { "description": "Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials\nAWS IAM authentication method", "properties": { @@ -190,7 +343,7 @@ "description": "Specify a service account with IRSA enabled", "properties": { "serviceAccountRef": { - "description": "A reference to a ServiceAccount resource.", + "description": "ServiceAccountSelector is a reference to a ServiceAccount resource.", "properties": { "audiences": { "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", @@ -698,6 +851,17 @@ "type": "object", "additionalProperties": false }, + "checkAndSet": { + "description": "CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.\nOnly applies to Vault KV v2 stores. When enabled, write operations must include\nthe current version of the secret to prevent unintentional overwrites.", + "properties": { + "required": { + "description": "Required when true, all write operations must include a check-and-set parameter.\nThis helps prevent unintentional overwrites of secrets.", + "type": "boolean" + } + }, + "type": "object", + "additionalProperties": false + }, "forwardInconsistent": { "description": "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault\nleader instead of simply retrying within a loop. This can increase performance if\nthe option is enabled serverside.\nhttps://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header", "type": "boolean" @@ -806,7 +970,7 @@ }, "resultType": { "default": "Data", - "description": "Result type defines which data is returned from the generator.\nBy default it is the \"data\" section of the Vault API response.\nWhen using e.g. /auth/token/create the \"data\" section is empty but\nthe \"auth\" section contains the generated token.\nPlease refer to the vault docs regarding the result data structure.\nAdditionally, accessing the raw response is possibly by using \"Raw\" result type.", + "description": "Result type defines which data is returned from the generator.\nBy default, it is the \"data\" section of the Vault API response.\nWhen using e.g. /auth/token/create the \"data\" section is empty but\nthe \"auth\" section contains the generated token.\nPlease refer to the vault docs regarding the result data structure.\nAdditionally, accessing the raw response is possibly by using \"Raw\" result type.", "enum": [ "Data", "Auth", diff --git a/generators.external-secrets.io/webhook_v1alpha1.json b/generators.external-secrets.io/webhook_v1alpha1.json index d587bf24..76b889d9 100644 --- a/generators.external-secrets.io/webhook_v1alpha1.json +++ b/generators.external-secrets.io/webhook_v1alpha1.json @@ -24,7 +24,7 @@ "description": "NTLMProtocol configures the store to use NTLM for auth", "properties": { "passwordSecret": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -52,7 +52,7 @@ "additionalProperties": false }, "usernameSecret": { - "description": "A reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", + "description": "SecretKeySelector is a reference to a specific 'key' within a Secret resource.\nIn some instances, `key` is a required field.", "properties": { "key": { "description": "A key in the referenced Secret.\nSome instances of this field may be defaulted, in others it may be required.", @@ -165,6 +165,7 @@ "secrets": { "description": "Secrets to fill in templates\nThese secrets will be passed to the templating function as key value pairs under the given name", "items": { + "description": "WebhookSecret defines a secret reference that will be used in webhook templates.", "properties": { "name": { "description": "Name of this secret in templates",