From 9e3433750e683560e3c8e4121060303989068b62 Mon Sep 17 00:00:00 2001 From: Alex Coomans Date: Sat, 6 Jul 2024 09:56:19 -0500 Subject: [PATCH] Update External Secrets CRDs (v0.9.19) (#343) --- .../clusterexternalsecret_v1beta1.json | 61 +++- .../clustersecretstore_v1alpha1.json | 55 ++++ .../clustersecretstore_v1beta1.json | 290 +++++++++++++++++- .../externalsecret_v1alpha1.json | 3 +- .../externalsecret_v1beta1.json | 3 +- external-secrets.io/pushsecret_v1alpha1.json | 35 ++- external-secrets.io/secretstore_v1alpha1.json | 55 ++++ external-secrets.io/secretstore_v1beta1.json | 290 +++++++++++++++++- .../acraccesstoken_v1alpha1.json | 30 +- .../ecrauthorizationtoken_v1alpha1.json | 28 +- .../fake_v1alpha1.json | 10 +- .../gcraccesstoken_v1alpha1.json | 14 +- .../githubaccesstoken_v1alpha1.json | 76 +++++ .../password_v1alpha1.json | 14 +- .../vaultdynamicsecret_v1alpha1.json | 222 ++++++++++---- .../webhook_v1alpha1.json | 131 ++++++++ 16 files changed, 1185 insertions(+), 132 deletions(-) create mode 100644 generators.external-secrets.io/githubaccesstoken_v1alpha1.json create mode 100644 generators.external-secrets.io/webhook_v1alpha1.json diff --git a/external-secrets.io/clusterexternalsecret_v1beta1.json b/external-secrets.io/clusterexternalsecret_v1beta1.json index 915c37a1..d603073b 100644 --- a/external-secrets.io/clusterexternalsecret_v1beta1.json +++ b/external-secrets.io/clusterexternalsecret_v1beta1.json @@ -577,7 +577,7 @@ "additionalProperties": false }, "namespaceSelector": { - "description": "The labels to select by to find the Namespaces to create the ExternalSecrets in.", + "description": "The labels to select by to find the Namespaces to create the ExternalSecrets in.\nDeprecated: Use NamespaceSelectors instead.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", @@ -597,7 +597,8 @@ "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ @@ -607,7 +608,8 @@ "type": "object", "additionalProperties": false }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { @@ -621,8 +623,59 @@ "x-kubernetes-map-type": "atomic", "additionalProperties": false }, + "namespaceSelectors": { + "description": "A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.", + "items": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": "object" + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": "array" + }, "namespaces": { - "description": "Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing.", + "description": "Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.", "items": { "type": "string" }, diff --git a/external-secrets.io/clustersecretstore_v1alpha1.json b/external-secrets.io/clustersecretstore_v1alpha1.json index 68755904..35a2241b 100644 --- a/external-secrets.io/clustersecretstore_v1alpha1.json +++ b/external-secrets.io/clustersecretstore_v1alpha1.json @@ -1051,6 +1051,61 @@ "type": "object", "additionalProperties": false }, + "passworddepot": { + "description": "Configures a store to sync secrets with a Password Depot instance.", + "properties": { + "auth": { + "description": "Auth configures how secret-manager authenticates with a Password Depot instance.", + "properties": { + "secretRef": { + "properties": { + "credentials": { + "description": "Username / Password is used for authentication.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "secretRef" + ], + "type": "object", + "additionalProperties": false + }, + "database": { + "description": "Database to use as source", + "type": "string" + }, + "host": { + "description": "URL configures the Password Depot instance URL.", + "type": "string" + } + }, + "required": [ + "auth", + "database", + "host" + ], + "type": "object", + "additionalProperties": false + }, "vault": { "description": "Vault configures this store to sync secrets using Hashi provider", "properties": { diff --git a/external-secrets.io/clustersecretstore_v1beta1.json b/external-secrets.io/clustersecretstore_v1beta1.json index deb07e27..3f243727 100644 --- a/external-secrets.io/clustersecretstore_v1beta1.json +++ b/external-secrets.io/clustersecretstore_v1beta1.json @@ -41,7 +41,8 @@ "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ @@ -51,7 +52,8 @@ "type": "object", "additionalProperties": false }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { @@ -556,10 +558,29 @@ "description": "AzureKV configures this store to sync secrets using Azure Key Vault provider", "properties": { "authSecretRef": { - "description": "Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.", + "description": "Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.", "properties": { + "clientCertificate": { + "description": "The Azure ClientCertificate of the service principle used for authentication.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, "clientId": { - "description": "The Azure clientId of the service principle used for authentication.", + "description": "The Azure clientId of the service principle or managed identity used for authentication.", "properties": { "key": { "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", @@ -595,6 +616,25 @@ }, "type": "object", "additionalProperties": false + }, + "tenantId": { + "description": "The Azure tenantId of the managed identity used for authentication.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false } }, "type": "object", @@ -651,7 +691,7 @@ "additionalProperties": false }, "tenantId": { - "description": "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.", + "description": "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.", "type": "string" }, "vaultUrl": { @@ -786,6 +826,10 @@ "account": { "type": "string" }, + "hostId": { + "description": "Optional HostID for JWT authentication. This may be used depending\non how the Conjur JWT authenticator policy is configured.", + "type": "string" + }, "secretRef": { "description": "Optional SecretRef that refers to a key in a Secret resource containing JWT token to\nauthenticate with Conjur using the JWT authentication method.", "properties": { @@ -1092,6 +1136,43 @@ "type": "object", "additionalProperties": false }, + "fortanix": { + "description": "Fortanix configures this store to sync secrets using the Fortanix provider", + "properties": { + "apiKey": { + "description": "APIKey is the API token to access SDKMS Applications.", + "properties": { + "secretRef": { + "description": "SecretRef is a reference to a secret containing the SDKMS API Key.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "apiUrl": { + "description": "APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, "gcpsm": { "description": "GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider", "properties": { @@ -1518,6 +1599,83 @@ "type": "object", "additionalProperties": false }, + "onboardbase": { + "description": "Onboardbase configures this store to sync secrets using the Onboardbase provider", + "properties": { + "apiHost": { + "default": "https://public.onboardbase.com/api/v1/", + "description": "APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/", + "type": "string" + }, + "auth": { + "description": "Auth configures how the Operator authenticates with the Onboardbase API", + "properties": { + "apiKeyRef": { + "description": "OnboardbaseAPIKey is the APIKey generated by an admin account.\nIt is used to recognize and authorize access to a project and environment within onboardbase", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "passcodeRef": { + "description": "OnboardbasePasscode is the passcode attached to the API Key", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "apiKeyRef", + "passcodeRef" + ], + "type": "object", + "additionalProperties": false + }, + "environment": { + "default": "development", + "description": "Environment is the name of an environmnent within a project to pull the secrets from", + "type": "string" + }, + "project": { + "default": "development", + "description": "Project is an onboardbase project that the secrets should be pulled from", + "type": "string" + } + }, + "required": [ + "apiHost", + "auth", + "environment", + "project" + ], + "type": "object", + "additionalProperties": false + }, "onepassword": { "description": "OnePassword configures this store to sync secrets using the 1Password Cloud provider", "properties": { @@ -1711,6 +1869,124 @@ "type": "object", "additionalProperties": false }, + "passbolt": { + "properties": { + "auth": { + "description": "Auth defines the information necessary to authenticate against Passbolt Server", + "properties": { + "passwordSecretRef": { + "description": "A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "privateKeySecretRef": { + "description": "A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "passwordSecretRef", + "privateKeySecretRef" + ], + "type": "object", + "additionalProperties": false + }, + "host": { + "description": "Host defines the Passbolt Server to connect to", + "type": "string" + } + }, + "required": [ + "auth", + "host" + ], + "type": "object", + "additionalProperties": false + }, + "passworddepot": { + "description": "Configures a store to sync secrets with a Password Depot instance.", + "properties": { + "auth": { + "description": "Auth configures how secret-manager authenticates with a Password Depot instance.", + "properties": { + "secretRef": { + "properties": { + "credentials": { + "description": "Username / Password is used for authentication.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "secretRef" + ], + "type": "object", + "additionalProperties": false + }, + "database": { + "description": "Database to use as source", + "type": "string" + }, + "host": { + "description": "URL configures the Password Depot instance URL.", + "type": "string" + } + }, + "required": [ + "auth", + "database", + "host" + ], + "type": "object", + "additionalProperties": false + }, "pulumi": { "description": "Pulumi configures this store to sync secrets using the Pulumi provider", "properties": { @@ -2332,6 +2608,10 @@ "type": "object", "additionalProperties": false }, + "namespace": { + "description": "Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.\nNamespaces is a set of features within Vault Enterprise that allows\nVault environments to support Secure Multi-tenancy. e.g: \"ns1\".\nMore about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces\nThis will default to Vault.Namespace field if set, or empty otherwise", + "type": "string" + }, "tokenSecretRef": { "description": "TokenSecretRef authenticates with Vault by presenting a token.", "properties": { diff --git a/external-secrets.io/externalsecret_v1alpha1.json b/external-secrets.io/externalsecret_v1alpha1.json index a84e1c9e..0248e3b2 100644 --- a/external-secrets.io/externalsecret_v1alpha1.json +++ b/external-secrets.io/externalsecret_v1alpha1.json @@ -272,7 +272,8 @@ "description": "Binding represents a servicebinding.io Provisioned Service reference to the secret", "properties": { "name": { - "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", + "default": "", + "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.", "type": "string" } }, diff --git a/external-secrets.io/externalsecret_v1beta1.json b/external-secrets.io/externalsecret_v1beta1.json index 92288536..4c849319 100644 --- a/external-secrets.io/externalsecret_v1beta1.json +++ b/external-secrets.io/externalsecret_v1beta1.json @@ -556,7 +556,8 @@ "description": "Binding represents a servicebinding.io Provisioned Service reference to the secret", "properties": { "name": { - "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", + "default": "", + "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nTODO: Add other useful fields. apiVersion, kind, uid?\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.", "type": "string" } }, diff --git a/external-secrets.io/pushsecret_v1alpha1.json b/external-secrets.io/pushsecret_v1alpha1.json index 762de2a2..a750aa14 100644 --- a/external-secrets.io/pushsecret_v1alpha1.json +++ b/external-secrets.io/pushsecret_v1alpha1.json @@ -18,6 +18,15 @@ "description": "Secret Data that should be pushed to providers", "items": { "properties": { + "conversionStrategy": { + "default": "None", + "description": "Used to define a conversion Strategy for the secret keys", + "enum": [ + "None", + "ReverseUnicode" + ], + "type": "string" + }, "match": { "description": "Match a given Secret Key to be pushed to the provider.", "properties": { @@ -105,7 +114,8 @@ "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ @@ -115,7 +125,8 @@ "type": "object", "additionalProperties": false }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { @@ -307,6 +318,15 @@ }, "type": "object", "additionalProperties": false + }, + "updatePolicy": { + "default": "Replace", + "description": "UpdatePolicy to handle Secrets in the provider. Possible Values: \"Replace/IfNotExists\". Defaults to \"Replace\".", + "enum": [ + "Replace", + "IfNotExists" + ], + "type": "string" } }, "required": [ @@ -360,6 +380,15 @@ "additionalProperties": { "additionalProperties": { "properties": { + "conversionStrategy": { + "default": "None", + "description": "Used to define a conversion Strategy for the secret keys", + "enum": [ + "None", + "ReverseUnicode" + ], + "type": "string" + }, "match": { "description": "Match a given Secret Key to be pushed to the provider.", "properties": { @@ -405,7 +434,7 @@ }, "type": "object" }, - "description": "Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore.", + "description": "Synced PushSecrets, including secrets that already exist in provider.\nMatches secret stores to PushSecretData that was stored to that secret store.", "type": "object" }, "syncedResourceVersion": { diff --git a/external-secrets.io/secretstore_v1alpha1.json b/external-secrets.io/secretstore_v1alpha1.json index df71d8e1..f86d6418 100644 --- a/external-secrets.io/secretstore_v1alpha1.json +++ b/external-secrets.io/secretstore_v1alpha1.json @@ -1051,6 +1051,61 @@ "type": "object", "additionalProperties": false }, + "passworddepot": { + "description": "Configures a store to sync secrets with a Password Depot instance.", + "properties": { + "auth": { + "description": "Auth configures how secret-manager authenticates with a Password Depot instance.", + "properties": { + "secretRef": { + "properties": { + "credentials": { + "description": "Username / Password is used for authentication.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "secretRef" + ], + "type": "object", + "additionalProperties": false + }, + "database": { + "description": "Database to use as source", + "type": "string" + }, + "host": { + "description": "URL configures the Password Depot instance URL.", + "type": "string" + } + }, + "required": [ + "auth", + "database", + "host" + ], + "type": "object", + "additionalProperties": false + }, "vault": { "description": "Vault configures this store to sync secrets using Hashi provider", "properties": { diff --git a/external-secrets.io/secretstore_v1beta1.json b/external-secrets.io/secretstore_v1beta1.json index ae9b9723..9b6cfa19 100644 --- a/external-secrets.io/secretstore_v1beta1.json +++ b/external-secrets.io/secretstore_v1beta1.json @@ -41,7 +41,8 @@ "items": { "type": "string" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ @@ -51,7 +52,8 @@ "type": "object", "additionalProperties": false }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { @@ -556,10 +558,29 @@ "description": "AzureKV configures this store to sync secrets using Azure Key Vault provider", "properties": { "authSecretRef": { - "description": "Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.", + "description": "Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.", "properties": { + "clientCertificate": { + "description": "The Azure ClientCertificate of the service principle used for authentication.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, "clientId": { - "description": "The Azure clientId of the service principle used for authentication.", + "description": "The Azure clientId of the service principle or managed identity used for authentication.", "properties": { "key": { "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", @@ -595,6 +616,25 @@ }, "type": "object", "additionalProperties": false + }, + "tenantId": { + "description": "The Azure tenantId of the managed identity used for authentication.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false } }, "type": "object", @@ -651,7 +691,7 @@ "additionalProperties": false }, "tenantId": { - "description": "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.", + "description": "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.", "type": "string" }, "vaultUrl": { @@ -786,6 +826,10 @@ "account": { "type": "string" }, + "hostId": { + "description": "Optional HostID for JWT authentication. This may be used depending\non how the Conjur JWT authenticator policy is configured.", + "type": "string" + }, "secretRef": { "description": "Optional SecretRef that refers to a key in a Secret resource containing JWT token to\nauthenticate with Conjur using the JWT authentication method.", "properties": { @@ -1092,6 +1136,43 @@ "type": "object", "additionalProperties": false }, + "fortanix": { + "description": "Fortanix configures this store to sync secrets using the Fortanix provider", + "properties": { + "apiKey": { + "description": "APIKey is the API token to access SDKMS Applications.", + "properties": { + "secretRef": { + "description": "SecretRef is a reference to a secret containing the SDKMS API Key.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "apiUrl": { + "description": "APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, "gcpsm": { "description": "GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider", "properties": { @@ -1518,6 +1599,83 @@ "type": "object", "additionalProperties": false }, + "onboardbase": { + "description": "Onboardbase configures this store to sync secrets using the Onboardbase provider", + "properties": { + "apiHost": { + "default": "https://public.onboardbase.com/api/v1/", + "description": "APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/", + "type": "string" + }, + "auth": { + "description": "Auth configures how the Operator authenticates with the Onboardbase API", + "properties": { + "apiKeyRef": { + "description": "OnboardbaseAPIKey is the APIKey generated by an admin account.\nIt is used to recognize and authorize access to a project and environment within onboardbase", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "passcodeRef": { + "description": "OnboardbasePasscode is the passcode attached to the API Key", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "apiKeyRef", + "passcodeRef" + ], + "type": "object", + "additionalProperties": false + }, + "environment": { + "default": "development", + "description": "Environment is the name of an environmnent within a project to pull the secrets from", + "type": "string" + }, + "project": { + "default": "development", + "description": "Project is an onboardbase project that the secrets should be pulled from", + "type": "string" + } + }, + "required": [ + "apiHost", + "auth", + "environment", + "project" + ], + "type": "object", + "additionalProperties": false + }, "onepassword": { "description": "OnePassword configures this store to sync secrets using the 1Password Cloud provider", "properties": { @@ -1711,6 +1869,124 @@ "type": "object", "additionalProperties": false }, + "passbolt": { + "properties": { + "auth": { + "description": "Auth defines the information necessary to authenticate against Passbolt Server", + "properties": { + "passwordSecretRef": { + "description": "A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "privateKeySecretRef": { + "description": "A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "passwordSecretRef", + "privateKeySecretRef" + ], + "type": "object", + "additionalProperties": false + }, + "host": { + "description": "Host defines the Passbolt Server to connect to", + "type": "string" + } + }, + "required": [ + "auth", + "host" + ], + "type": "object", + "additionalProperties": false + }, + "passworddepot": { + "description": "Configures a store to sync secrets with a Password Depot instance.", + "properties": { + "auth": { + "description": "Auth configures how secret-manager authenticates with a Password Depot instance.", + "properties": { + "secretRef": { + "properties": { + "credentials": { + "description": "Username / Password is used for authentication.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "secretRef" + ], + "type": "object", + "additionalProperties": false + }, + "database": { + "description": "Database to use as source", + "type": "string" + }, + "host": { + "description": "URL configures the Password Depot instance URL.", + "type": "string" + } + }, + "required": [ + "auth", + "database", + "host" + ], + "type": "object", + "additionalProperties": false + }, "pulumi": { "description": "Pulumi configures this store to sync secrets using the Pulumi provider", "properties": { @@ -2332,6 +2608,10 @@ "type": "object", "additionalProperties": false }, + "namespace": { + "description": "Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.\nNamespaces is a set of features within Vault Enterprise that allows\nVault environments to support Secure Multi-tenancy. e.g: \"ns1\".\nMore about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces\nThis will default to Vault.Namespace field if set, or empty otherwise", + "type": "string" + }, "tokenSecretRef": { "description": "TokenSecretRef authenticates with Vault by presenting a token.", "properties": { diff --git a/generators.external-secrets.io/acraccesstoken_v1alpha1.json b/generators.external-secrets.io/acraccesstoken_v1alpha1.json index 5e9cd7db..7ef1f52a 100644 --- a/generators.external-secrets.io/acraccesstoken_v1alpha1.json +++ b/generators.external-secrets.io/acraccesstoken_v1alpha1.json @@ -1,19 +1,19 @@ { - "description": "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md", + "description": "ACRAccessToken returns a Azure Container Registry token\nthat can be used for pushing/pulling images.\nNote: by default it will return an ACR Refresh Token with full access\n(depending on the identity).\nThis can be scoped down to the repository level using .spec.scope.\nIn case scope is defined it will return an ACR Access Token.\n\n\nSee docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md", "properties": { "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { - "description": "ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview", + "description": "ACRAccessTokenSpec defines how to generate the access token\ne.g. how to authenticate and which registry to use.\nsee: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview", "properties": { "auth": { "properties": { @@ -32,13 +32,13 @@ "description": "ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.", "properties": { "secretRef": { - "description": "Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret.", + "description": "Configuration used to authenticate with Azure using static\ncredentials stored in a Kind=Secret.", "properties": { "clientId": { "description": "The Azure clientId of the service principle used for authentication.", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -46,7 +46,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -57,7 +57,7 @@ "description": "The Azure ClientSecret of the service principle used for authentication.", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -65,7 +65,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -87,10 +87,10 @@ "description": "WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.", "properties": { "serviceAccountRef": { - "description": "ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.", + "description": "ServiceAccountRef specified the service account\nthat should be used when authenticating with WorkloadIdentity.", "properties": { "audiences": { - "description": "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list", + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", "items": { "type": "string" }, @@ -101,7 +101,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -121,7 +121,7 @@ }, "environmentType": { "default": "PublicCloud", - "description": "EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud", + "description": "EnvironmentType specifies the Azure cloud environment endpoints to use for\nconnecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.\nThe following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152\nPublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud", "enum": [ "PublicCloud", "USGovernmentCloud", @@ -131,11 +131,11 @@ "type": "string" }, "registry": { - "description": "the domain name of the ACR registry e.g. foobarexample.azurecr.io", + "description": "the domain name of the ACR registry\ne.g. foobarexample.azurecr.io", "type": "string" }, "scope": { - "description": "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/", + "description": "Define the scope for the access token, e.g. pull/push access for a repository.\nif not provided it will return a refresh token that has full scope.\nNote: you need to pin it down to the repository level, there is no wildcard available.\n\n\nexamples:\nrepository:my-repository:pull,push\nrepository:my-repository:pull\n\n\nsee docs for details: https://docs.docker.com/registry/spec/auth/scope/", "type": "string" }, "tenantId": { diff --git a/generators.external-secrets.io/ecrauthorizationtoken_v1alpha1.json b/generators.external-secrets.io/ecrauthorizationtoken_v1alpha1.json index 8f3a1fde..cdc6f48e 100644 --- a/generators.external-secrets.io/ecrauthorizationtoken_v1alpha1.json +++ b/generators.external-secrets.io/ecrauthorizationtoken_v1alpha1.json @@ -1,12 +1,12 @@ { - "description": "ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.", + "description": "ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an\nauthorization token.\nThe authorization token is valid for 12 hours.\nThe authorizationToken returned is a base64 encoded string that can be decoded\nand used in a docker login command to authenticate to a registry.\nFor more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.", "properties": { "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { @@ -24,7 +24,7 @@ "description": "A reference to a ServiceAccount resource.", "properties": { "audiences": { - "description": "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list", + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", "items": { "type": "string" }, @@ -35,7 +35,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -50,13 +50,13 @@ "additionalProperties": false }, "secretRef": { - "description": "AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.", + "description": "AWSAuthSecretRef holds secret references for AWS credentials\nboth AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.", "properties": { "accessKeyIDSecretRef": { "description": "The AccessKeyID is used for authentication", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -64,7 +64,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -75,7 +75,7 @@ "description": "The SecretAccessKey is used for authentication", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -83,7 +83,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -91,10 +91,10 @@ "additionalProperties": false }, "sessionTokenSecretRef": { - "description": "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html", + "description": "The SessionToken used for authentication\nThis must be defined if AccessKeyID and SecretAccessKey are temporary credentials\nsee: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -102,7 +102,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -122,7 +122,7 @@ "type": "string" }, "role": { - "description": "You can assume a role before making calls to the desired AWS service.", + "description": "You can assume a role before making calls to the\ndesired AWS service.", "type": "string" } }, diff --git a/generators.external-secrets.io/fake_v1alpha1.json b/generators.external-secrets.io/fake_v1alpha1.json index 4f8ae967..1812cd90 100644 --- a/generators.external-secrets.io/fake_v1alpha1.json +++ b/generators.external-secrets.io/fake_v1alpha1.json @@ -1,12 +1,12 @@ { - "description": "Fake generator is used for testing. It lets you define a static set of credentials that is always returned.", + "description": "Fake generator is used for testing. It lets you define\na static set of credentials that is always returned.", "properties": { "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { @@ -16,14 +16,14 @@ "description": "FakeSpec contains the static data.", "properties": { "controller": { - "description": "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property", + "description": "Used to select the correct ESO controller (think: ingress.ingressClassName)\nThe ESO controller is instantiated with a specific controller name and filters VDS based on this property", "type": "string" }, "data": { "additionalProperties": { "type": "string" }, - "description": "Data defines the static data returned by this generator.", + "description": "Data defines the static data returned\nby this generator.", "type": "object" } }, diff --git a/generators.external-secrets.io/gcraccesstoken_v1alpha1.json b/generators.external-secrets.io/gcraccesstoken_v1alpha1.json index 929fd484..89dfb99b 100644 --- a/generators.external-secrets.io/gcraccesstoken_v1alpha1.json +++ b/generators.external-secrets.io/gcraccesstoken_v1alpha1.json @@ -1,12 +1,12 @@ { - "description": "GCRAccessToken generates an GCP access token that can be used to authenticate with GCR.", + "description": "GCRAccessToken generates an GCP access token\nthat can be used to authenticate with GCR.", "properties": { "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { @@ -23,7 +23,7 @@ "description": "The SecretAccessKey is used for authentication", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -31,7 +31,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -57,7 +57,7 @@ "description": "A reference to a ServiceAccount resource.", "properties": { "audiences": { - "description": "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list", + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", "items": { "type": "string" }, @@ -68,7 +68,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, diff --git a/generators.external-secrets.io/githubaccesstoken_v1alpha1.json b/generators.external-secrets.io/githubaccesstoken_v1alpha1.json new file mode 100644 index 00000000..eccd1e23 --- /dev/null +++ b/generators.external-secrets.io/githubaccesstoken_v1alpha1.json @@ -0,0 +1,76 @@ +{ + "description": "GithubAccessToken generates ghs_ accessToken", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "properties": { + "appID": { + "type": "string" + }, + "auth": { + "description": "Auth configures how ESO authenticates with a Github instance.", + "properties": { + "privatKey": { + "properties": { + "secretRef": { + "description": "A reference to a specific 'key' within a Secret resource,\nIn some instances, `key` is a required field.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "secretRef" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "privatKey" + ], + "type": "object", + "additionalProperties": false + }, + "installID": { + "type": "string" + }, + "url": { + "description": "URL configures the Github instance URL. Defaults to https://github.com/.", + "type": "string" + } + }, + "required": [ + "appID", + "auth", + "installID" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/generators.external-secrets.io/password_v1alpha1.json b/generators.external-secrets.io/password_v1alpha1.json index 980b9996..327d1863 100644 --- a/generators.external-secrets.io/password_v1alpha1.json +++ b/generators.external-secrets.io/password_v1alpha1.json @@ -1,12 +1,12 @@ { - "description": "Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes.", + "description": "Password generates a random password based on the\nconfiguration parameters in spec.\nYou can specify the length, characterset and other attributes.", "properties": { "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { @@ -21,12 +21,12 @@ "type": "boolean" }, "digits": { - "description": "Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password", + "description": "Digits specifies the number of digits in the generated\npassword. If omitted it defaults to 25% of the length of the password", "type": "integer" }, "length": { "default": 24, - "description": "Length of the password to be generated. Defaults to 24", + "description": "Length of the password to be generated.\nDefaults to 24", "type": "integer" }, "noUpper": { @@ -35,11 +35,11 @@ "type": "boolean" }, "symbolCharacters": { - "description": "SymbolCharacters specifies the special characters that should be used in the generated password.", + "description": "SymbolCharacters specifies the special characters that should be used\nin the generated password.", "type": "string" }, "symbols": { - "description": "Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password", + "description": "Symbols specifies the number of symbol characters in the generated\npassword. If omitted it defaults to 25% of the length of the password", "type": "integer" } }, diff --git a/generators.external-secrets.io/vaultdynamicsecret_v1alpha1.json b/generators.external-secrets.io/vaultdynamicsecret_v1alpha1.json index 16734cff..d4f11846 100644 --- a/generators.external-secrets.io/vaultdynamicsecret_v1alpha1.json +++ b/generators.external-secrets.io/vaultdynamicsecret_v1alpha1.json @@ -1,11 +1,11 @@ { "properties": { "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { @@ -14,7 +14,7 @@ "spec": { "properties": { "controller": { - "description": "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property", + "description": "Used to select the correct ESO controller (think: ingress.ingressClassName)\nThe ESO controller is instantiated with a specific controller name and filters VDS based on this property", "type": "string" }, "method": { @@ -36,22 +36,22 @@ "description": "Auth configures how secret-manager authenticates with the Vault server.", "properties": { "appRole": { - "description": "AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.", + "description": "AppRole authenticates with Vault using the App Role auth mechanism,\nwith the role and secret stored in a Kubernetes Secret resource.", "properties": { "path": { "default": "approle", - "description": "Path where the App Role authentication backend is mounted in Vault, e.g: \"approle\"", + "description": "Path where the App Role authentication backend is mounted\nin Vault, e.g: \"approle\"", "type": "string" }, "roleId": { - "description": "RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.", + "description": "RoleID configured in the App Role authentication backend when setting\nup the authentication backend in Vault.", "type": "string" }, "roleRef": { - "description": "Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.", + "description": "Reference to a key in a Secret that contains the App Role ID used\nto authenticate with Vault.\nThe `key` field must be specified and denotes which entry within the Secret\nresource is used as the app role id.", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -59,7 +59,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -67,10 +67,10 @@ "additionalProperties": false }, "secretRef": { - "description": "Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.", + "description": "Reference to a key in a Secret that contains the App Role secret used\nto authenticate with Vault.\nThe `key` field must be specified and denotes which entry within the Secret\nresource is used as the app role secret.", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -78,7 +78,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -94,13 +94,13 @@ "additionalProperties": false }, "cert": { - "description": "Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method", + "description": "Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate\nCert authentication method", "properties": { "clientCert": { - "description": "ClientCert is a certificate to authenticate using the Cert Vault authentication method", + "description": "ClientCert is a certificate to authenticate using the Cert Vault\nauthentication method", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -108,7 +108,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -116,10 +116,10 @@ "additionalProperties": false }, "secretRef": { - "description": "SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method", + "description": "SecretRef to a key in a Secret resource containing client private key to\nauthenticate with Vault using the Cert authentication method", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -127,7 +127,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -139,7 +139,7 @@ "additionalProperties": false }, "iam": { - "description": "Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method", + "description": "Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials\nAWS IAM authentication method", "properties": { "externalID": { "description": "AWS External ID set on assumed IAM roles", @@ -152,7 +152,7 @@ "description": "A reference to a ServiceAccount resource.", "properties": { "audiences": { - "description": "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list", + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", "items": { "type": "string" }, @@ -163,7 +163,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -196,7 +196,7 @@ "description": "The AccessKeyID is used for authentication", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -204,7 +204,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -215,7 +215,7 @@ "description": "The SecretAccessKey is used for authentication", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -223,7 +223,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -231,10 +231,10 @@ "additionalProperties": false }, "sessionTokenSecretRef": { - "description": "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html", + "description": "The SessionToken used for authentication\nThis must be defined if AccessKeyID and SecretAccessKey are temporary credentials\nsee: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -242,7 +242,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -269,20 +269,20 @@ "additionalProperties": false }, "jwt": { - "description": "Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method", + "description": "Jwt authenticates with Vault by passing role and JWT token using the\nJWT/OIDC authentication method", "properties": { "kubernetesServiceAccountToken": { - "description": "Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.", + "description": "Optional ServiceAccountToken specifies the Kubernetes service account for which to request\na token for with the `TokenRequest` API.", "properties": { "audiences": { - "description": "Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead", + "description": "Optional audiences field that will be used to request a temporary Kubernetes service\naccount token for the service account referenced by `serviceAccountRef`.\nDefaults to a single audience `vault` it not specified.\nDeprecated: use serviceAccountRef.Audiences instead", "items": { "type": "string" }, "type": "array" }, "expirationSeconds": { - "description": "Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.", + "description": "Optional expiration time in seconds that will be used to request a temporary\nKubernetes service account token for the service account referenced by\n`serviceAccountRef`.\nDeprecated: this will be removed in the future.\nDefaults to 10 minutes.", "format": "int64", "type": "integer" }, @@ -290,7 +290,7 @@ "description": "Service account field containing the name of a kubernetes ServiceAccount.", "properties": { "audiences": { - "description": "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list", + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", "items": { "type": "string" }, @@ -301,7 +301,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -320,18 +320,18 @@ }, "path": { "default": "jwt", - "description": "Path where the JWT authentication backend is mounted in Vault, e.g: \"jwt\"", + "description": "Path where the JWT authentication backend is mounted\nin Vault, e.g: \"jwt\"", "type": "string" }, "role": { - "description": "Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method", + "description": "Role is a JWT role to authenticate using the JWT/OIDC Vault\nauthentication method", "type": "string" }, "secretRef": { - "description": "Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.", + "description": "Optional SecretRef that refers to a key in a Secret resource containing JWT token to\nauthenticate with Vault using the JWT/OIDC authentication method.", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -339,7 +339,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -354,22 +354,22 @@ "additionalProperties": false }, "kubernetes": { - "description": "Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.", + "description": "Kubernetes authenticates with Vault by passing the ServiceAccount\ntoken stored in the named Secret resource to the Vault server.", "properties": { "mountPath": { "default": "kubernetes", - "description": "Path where the Kubernetes authentication backend is mounted in Vault, e.g: \"kubernetes\"", + "description": "Path where the Kubernetes authentication backend is mounted in Vault, e.g:\n\"kubernetes\"", "type": "string" }, "role": { - "description": "A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.", + "description": "A required field containing the Vault Role to assume. A Role binds a\nKubernetes ServiceAccount with a set of Vault policies.", "type": "string" }, "secretRef": { - "description": "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.", + "description": "Optional secret field containing a Kubernetes ServiceAccount JWT used\nfor authenticating with Vault. If a name is specified without a key,\n`token` is the default. If one is not specified, the one bound to\nthe controller will be used.", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -377,7 +377,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -385,10 +385,10 @@ "additionalProperties": false }, "serviceAccountRef": { - "description": "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.", + "description": "Optional service account field containing the name of a kubernetes ServiceAccount.\nIf the service account is specified, the service account secret token JWT will be used\nfor authenticating with Vault. If the service account selector is not supplied,\nthe secretRef will be used instead.", "properties": { "audiences": { - "description": "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list", + "description": "Audience specifies the `aud` claim for the service account token\nIf the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity\nthen this audiences will be appended to the list", "items": { "type": "string" }, @@ -399,7 +399,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -418,18 +418,18 @@ "additionalProperties": false }, "ldap": { - "description": "Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method", + "description": "Ldap authenticates with Vault by passing username/password pair using\nthe LDAP authentication method", "properties": { "path": { "default": "ldap", - "description": "Path where the LDAP authentication backend is mounted in Vault, e.g: \"ldap\"", + "description": "Path where the LDAP authentication backend is mounted\nin Vault, e.g: \"ldap\"", "type": "string" }, "secretRef": { - "description": "SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method", + "description": "SecretRef to a key in a Secret resource containing password for the LDAP\nuser used to authenticate with Vault using the LDAP authentication\nmethod", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -437,7 +437,7 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, @@ -445,7 +445,7 @@ "additionalProperties": false }, "username": { - "description": "Username is a LDAP user name used to authenticate using the LDAP Vault authentication method", + "description": "Username is a LDAP user name used to authenticate using the LDAP Vault\nauthentication method", "type": "string" } }, @@ -456,11 +456,15 @@ "type": "object", "additionalProperties": false }, + "namespace": { + "description": "Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.\nNamespaces is a set of features within Vault Enterprise that allows\nVault environments to support Secure Multi-tenancy. e.g: \"ns1\".\nMore about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces\nThis will default to Vault.Namespace field if set, or empty otherwise", + "type": "string" + }, "tokenSecretRef": { "description": "TokenSecretRef authenticates with Vault by presenting a token.", "properties": { "key": { - "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.", + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", "type": "string" }, "name": { @@ -468,19 +472,58 @@ "type": "string" }, "namespace": { - "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.", + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", "type": "string" } }, "type": "object", "additionalProperties": false + }, + "userPass": { + "description": "UserPass authenticates with Vault by passing username/password pair", + "properties": { + "path": { + "default": "user", + "description": "Path where the UserPassword authentication backend is mounted\nin Vault, e.g: \"user\"", + "type": "string" + }, + "secretRef": { + "description": "SecretRef to a key in a Secret resource containing password for the\nuser used to authenticate with Vault using the UserPass authentication\nmethod", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "username": { + "description": "Username is a user name used to authenticate using the UserPass Vault\nauthentication method", + "type": "string" + } + }, + "required": [ + "path", + "username" + ], + "type": "object", + "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "caBundle": { - "description": "PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.", + "description": "PEM encoded CA bundle used to validate Vault server certificate. Only used\nif the Server URL is using HTTPS protocol. This parameter is ignored for\nplain HTTP protocol connection. If not set the system root certificates\nare used to validate the TLS connection.", "format": "byte", "type": "string" }, @@ -496,7 +539,7 @@ "type": "string" }, "namespace": { - "description": "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.", + "description": "The namespace the Provider type is in.\nCan only be defined when used in a ClusterSecretStore.", "type": "string" }, "type": { @@ -516,28 +559,73 @@ "additionalProperties": false }, "forwardInconsistent": { - "description": "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header", + "description": "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault\nleader instead of simply retrying within a loop. This can increase performance if\nthe option is enabled serverside.\nhttps://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header", "type": "boolean" }, "namespace": { - "description": "Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces", + "description": "Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows\nVault environments to support Secure Multi-tenancy. e.g: \"ns1\".\nMore about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces", "type": "string" }, "path": { - "description": "Path is the mount path of the Vault KV backend endpoint, e.g: \"secret\". The v2 KV secret engine version specific \"/data\" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.", + "description": "Path is the mount path of the Vault KV backend endpoint, e.g:\n\"secret\". The v2 KV secret engine version specific \"/data\" path suffix\nfor fetching secrets from Vault is optional and will be appended\nif not present in specified path.", "type": "string" }, "readYourWrites": { - "description": "ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency", + "description": "ReadYourWrites ensures isolated read-after-write semantics by\nproviding discovered cluster replication states in each request.\nMore information about eventual consistency in Vault can be found here\nhttps://www.vaultproject.io/docs/enterprise/consistency", "type": "boolean" }, "server": { "description": "Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\".", "type": "string" }, + "tls": { + "description": "The configuration used for client side related TLS communication, when the Vault server\nrequires mutual authentication. Only used if the Server URL is using HTTPS protocol.\nThis parameter is ignored for plain HTTP protocol connection.\nIt's worth noting this configuration is different from the \"TLS certificates auth method\",\nwhich is available under the `auth.cert` section.", + "properties": { + "certSecretRef": { + "description": "CertSecretRef is a certificate added to the transport layer\nwhen communicating with the Vault server.\nIf no key for the Secret is specified, external-secret will default to 'tls.crt'.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "keySecretRef": { + "description": "KeySecretRef to a key in a Secret resource containing client private key\nadded to the transport layer when communicating with the Vault server.\nIf no key for the Secret is specified, external-secret will default to 'tls.key'.", + "properties": { + "key": { + "description": "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be\ndefaulted, in others it may be required.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + }, + "namespace": { + "description": "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults\nto the namespace of the referent.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, "version": { "default": "v2", - "description": "Version is the Vault KV secret engine version. This can be either \"v1\" or \"v2\". Version defaults to \"v2\".", + "description": "Version is the Vault KV secret engine version. This can be either \"v1\" or\n\"v2\". Version defaults to \"v2\".", "enum": [ "v1", "v2" @@ -554,7 +642,11 @@ }, "resultType": { "default": "Data", - "description": "Result type defines which data is returned from the generator. By default it is the \"data\" section of the Vault API response. When using e.g. /auth/token/create the \"data\" section is empty but the \"auth\" section contains the generated token. Please refer to the vault docs regarding the result data structure.", + "description": "Result type defines which data is returned from the generator.\nBy default it is the \"data\" section of the Vault API response.\nWhen using e.g. /auth/token/create the \"data\" section is empty but\nthe \"auth\" section contains the generated token.\nPlease refer to the vault docs regarding the result data structure.", + "enum": [ + "Data", + "Auth" + ], "type": "string" } }, diff --git a/generators.external-secrets.io/webhook_v1alpha1.json b/generators.external-secrets.io/webhook_v1alpha1.json new file mode 100644 index 00000000..a0f915a0 --- /dev/null +++ b/generators.external-secrets.io/webhook_v1alpha1.json @@ -0,0 +1,131 @@ +{ + "description": "Webhook connects to a third party API server to handle the secrets generation\nconfiguration parameters in spec.\nYou can specify the server, the token, and additional body parameters.\nSee documentation for the full API specification for requests and responses.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.", + "properties": { + "body": { + "description": "Body", + "type": "string" + }, + "caBundle": { + "description": "PEM encoded CA bundle used to validate webhook server certificate. Only used\nif the Server URL is using HTTPS protocol. This parameter is ignored for\nplain HTTP protocol connection. If not set the system root certificates\nare used to validate the TLS connection.", + "format": "byte", + "type": "string" + }, + "caProvider": { + "description": "The provider for the CA bundle to use to validate webhook server certificate.", + "properties": { + "key": { + "description": "The key the value inside of the provider type to use, only used with \"Secret\" type", + "type": "string" + }, + "name": { + "description": "The name of the object located at the provider type.", + "type": "string" + }, + "namespace": { + "description": "The namespace the Provider type is in.", + "type": "string" + }, + "type": { + "description": "The type of provider to use such as \"Secret\", or \"ConfigMap\".", + "enum": [ + "Secret", + "ConfigMap" + ], + "type": "string" + } + }, + "required": [ + "name", + "type" + ], + "type": "object", + "additionalProperties": false + }, + "headers": { + "additionalProperties": { + "type": "string" + }, + "description": "Headers", + "type": "object" + }, + "method": { + "description": "Webhook Method", + "type": "string" + }, + "result": { + "description": "Result formatting", + "properties": { + "jsonPath": { + "description": "Json path of return value", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "secrets": { + "description": "Secrets to fill in templates\nThese secrets will be passed to the templating function as key value pairs under the given name", + "items": { + "properties": { + "name": { + "description": "Name of this secret in templates", + "type": "string" + }, + "secretRef": { + "description": "Secret ref to fill in credentials", + "properties": { + "key": { + "description": "The key where the token is found.", + "type": "string" + }, + "name": { + "description": "The name of the Secret resource being referred to.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "name", + "secretRef" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "timeout": { + "description": "Timeout", + "type": "string" + }, + "url": { + "description": "Webhook url to call", + "type": "string" + } + }, + "required": [ + "result", + "url" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +}