{ "description": "ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource.", "properties": { "namespaceSelectors": { "description": "A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.", "items": { "description": "A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "pushSecretMetadata": { "description": "The metadata of the external secrets to be created", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "type": "object" }, "labels": { "additionalProperties": { "type": "string" }, "type": "object" } }, "type": "object", "additionalProperties": false }, "pushSecretName": { "description": "The name of the push secrets to be created.\nDefaults to the name of the ClusterPushSecret", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "pushSecretSpec": { "description": "PushSecretSpec defines what to do with the secrets.", "properties": { "data": { "description": "Secret Data that should be pushed to providers", "items": { "description": "PushSecretData defines data to be pushed to the provider and associated metadata.", "properties": { "conversionStrategy": { "default": "None", "description": "Used to define a conversion Strategy for the secret keys", "enum": [ "None", "ReverseUnicode" ], "type": "string" }, "match": { "description": "Match a given Secret Key to be pushed to the provider.", "properties": { "remoteRef": { "description": "Remote Refs to push to providers.", "properties": { "property": { "description": "Name of the property in the resulting secret", "type": "string" }, "remoteKey": { "description": "Name of the resulting provider secret.", "type": "string" } }, "required": [ "remoteKey" ], "type": "object", "additionalProperties": false }, "secretKey": { "description": "Secret Key to be pushed", "type": "string" } }, "required": [ "remoteRef" ], "type": "object", "additionalProperties": false }, "metadata": { "description": "Metadata is metadata attached to the secret.\nThe structure of metadata is provider specific, please look it up in the provider documentation.", "x-kubernetes-preserve-unknown-fields": true } }, "required": [ "match" ], "type": "object", "additionalProperties": false }, "type": "array" }, "deletionPolicy": { "default": "None", "description": "Deletion Policy to handle Secrets in the provider.", "enum": [ "Delete", "None" ], "type": "string" }, "refreshInterval": { "default": "1h0m0s", "description": "The Interval to which External Secrets will try to push a secret definition", "type": "string" }, "secretStoreRefs": { "items": { "description": "PushSecretStoreRef contains a reference on how to sync to a SecretStore.", "properties": { "kind": { "default": "SecretStore", "description": "Kind of the SecretStore resource (SecretStore or ClusterSecretStore)", "enum": [ "SecretStore", "ClusterSecretStore" ], "type": "string" }, "labelSelector": { "description": "Optionally, sync to secret stores with label selector", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "name": { "description": "Optionally, sync to the SecretStore of the given name", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "selector": { "description": "The Secret Selector (k8s source) for the Push Secret", "maxProperties": 1, "minProperties": 1, "properties": { "generatorRef": { "description": "Point to a generator to create a Secret.", "properties": { "apiVersion": { "default": "generators.external-secrets.io/v1alpha1", "description": "Specify the apiVersion of the generator resource", "type": "string" }, "kind": { "description": "Specify the Kind of the generator resource", "enum": [ "ACRAccessToken", "ClusterGenerator", "CloudsmithAccessToken", "ECRAuthorizationToken", "Fake", "GCRAccessToken", "GithubAccessToken", "QuayAccessToken", "Password", "SSHKey", "STSSessionToken", "UUID", "VaultDynamicSecret", "Webhook", "Grafana", "MFA" ], "type": "string" }, "name": { "description": "Specify the name of the generator resource", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" } }, "required": [ "kind", "name" ], "type": "object", "additionalProperties": false }, "secret": { "description": "Select a Secret to Push.", "properties": { "name": { "description": "Name of the Secret.\nThe Secret must exist in the same namespace as the PushSecret manifest.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "selector": { "description": "Selector chooses secrets using a labelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "template": { "description": "Template defines a blueprint for the created Secret resource.", "properties": { "data": { "additionalProperties": { "type": "string" }, "type": "object" }, "engineVersion": { "default": "v2", "description": "EngineVersion specifies the template engine version\nthat should be used to compile/execute the\ntemplate specified in .data and .templateFrom[].", "enum": [ "v2" ], "type": "string" }, "mergePolicy": { "default": "Replace", "description": "TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.", "enum": [ "Replace", "Merge" ], "type": "string" }, "metadata": { "description": "ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "type": "object" }, "finalizers": { "items": { "type": "string" }, "type": "array" }, "labels": { "additionalProperties": { "type": "string" }, "type": "object" } }, "type": "object", "additionalProperties": false }, "templateFrom": { "items": { "description": "TemplateFrom specifies a source for templates.\nEach item in the list can either reference a ConfigMap or a Secret resource.", "properties": { "configMap": { "description": "TemplateRef specifies a reference to either a ConfigMap or a Secret resource.", "properties": { "items": { "description": "A list of keys in the ConfigMap/Secret to use as templates for Secret data", "items": { "description": "TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.", "properties": { "key": { "description": "A key in the ConfigMap/Secret", "maxLength": 253, "minLength": 1, "pattern": "^[-._a-zA-Z0-9]+$", "type": "string" }, "templateAs": { "default": "Values", "description": "TemplateScope specifies how the template keys should be interpreted.", "enum": [ "Values", "KeysAndValues" ], "type": "string" } }, "required": [ "key" ], "type": "object", "additionalProperties": false }, "type": "array" }, "name": { "description": "The name of the ConfigMap/Secret resource", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" } }, "required": [ "items", "name" ], "type": "object", "additionalProperties": false }, "literal": { "type": "string" }, "secret": { "description": "TemplateRef specifies a reference to either a ConfigMap or a Secret resource.", "properties": { "items": { "description": "A list of keys in the ConfigMap/Secret to use as templates for Secret data", "items": { "description": "TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.", "properties": { "key": { "description": "A key in the ConfigMap/Secret", "maxLength": 253, "minLength": 1, "pattern": "^[-._a-zA-Z0-9]+$", "type": "string" }, "templateAs": { "default": "Values", "description": "TemplateScope specifies how the template keys should be interpreted.", "enum": [ "Values", "KeysAndValues" ], "type": "string" } }, "required": [ "key" ], "type": "object", "additionalProperties": false }, "type": "array" }, "name": { "description": "The name of the ConfigMap/Secret resource", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" } }, "required": [ "items", "name" ], "type": "object", "additionalProperties": false }, "target": { "default": "Data", "description": "Target specifies where to place the template result.\nFor Secret resources, common values are: \"Data\", \"Annotations\", \"Labels\".\nFor custom resources (when spec.target.manifest is set), this supports\nnested paths like \"spec.database.config\" or \"data\".", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "type": { "type": "string" } }, "type": "object", "additionalProperties": false }, "updatePolicy": { "default": "Replace", "description": "UpdatePolicy to handle Secrets in the provider.", "enum": [ "Replace", "IfNotExists" ], "type": "string" } }, "required": [ "secretStoreRefs", "selector" ], "type": "object", "additionalProperties": false }, "refreshTime": { "description": "The time in which the controller should reconcile its objects and recheck namespaces for labels.", "type": "string" } }, "required": [ "pushSecretSpec" ], "type": "object", "additionalProperties": false }, "status": { "description": "ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource.", "properties": { "conditions": { "items": { "description": "PushSecretStatusCondition indicates the status of the PushSecret.", "properties": { "lastTransitionTime": { "format": "date-time", "type": "string" }, "message": { "type": "string" }, "reason": { "type": "string" }, "status": { "type": "string" }, "type": { "description": "PushSecretConditionType indicates the condition of the PushSecret.", "type": "string" } }, "required": [ "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "failedNamespaces": { "description": "Failed namespaces are the namespaces that failed to apply an PushSecret", "items": { "description": "ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason.", "properties": { "namespace": { "description": "Namespace is the namespace that failed when trying to apply an PushSecret", "type": "string" }, "reason": { "description": "Reason is why the PushSecret failed to apply to the namespace", "type": "string" } }, "required": [ "namespace" ], "type": "object", "additionalProperties": false }, "type": "array" }, "provisionedNamespaces": { "description": "ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets", "items": { "type": "string" }, "type": "array" }, "pushSecretName": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object" }