cdktf-crd
Version:
694 lines • 61.6 kB
TypeScript
import { Manifest, type ManifestConfig } from "@cdktf/provider-kubernetes/lib/manifest";
import { Construct } from "constructs";
export declare class KubernetesSecretStoreV1alpha1Manifest extends Manifest {
constructor(scope: Construct, id: string, config: KubernetesSecretStoreV1alpha1ManifestConfig);
}
export interface KubernetesSecretStoreV1alpha1ManifestConfig extends ManifestConfig {
manifest: {
apiVersion?: "external-secrets.io/v1alpha1";
kind?: "SecretStore";
metadata: {
annotations?: {
[key: string]: string;
};
labels?: {
[key: string]: string;
};
name: string;
namespace?: string;
};
/** @description SecretStoreSpec defines the desired state of SecretStore. */
spec?: {
/** @description Used to select the correct ESO controller (think: ingress.ingressClassName)
* The ESO controller is instantiated with a specific controller name and filters ES based on this property */
controller?: string;
/** @description Used to configure the provider. Only one provider may be set */
provider: {
/** @description Akeyless configures this store to sync secrets using Akeyless Vault provider */
akeyless?: {
/** @description Akeyless GW API Url from which the secrets to be fetched from. */
akeylessGWApiURL: string;
/** @description Auth configures how the operator authenticates with Akeyless. */
authSecretRef: {
/** @description Kubernetes authenticates with Akeyless by passing the ServiceAccount
* token stored in the named Secret resource. */
kubernetesAuth?: {
/** @description the Akeyless Kubernetes auth-method access-id */
accessID: string;
/** @description Kubernetes-auth configuration name in Akeyless-Gateway */
k8sConfName: string;
/** @description Optional secret field containing a Kubernetes ServiceAccount JWT used
* for authenticating with Akeyless. If a name is specified without a key,
* `token` is the default. If one is not specified, the one bound to
* the controller will be used. */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description Optional service account field containing the name of a kubernetes ServiceAccount.
* If the service account is specified, the service account secret token JWT will be used
* for authenticating with Akeyless. If the service account selector is not supplied,
* the secretRef will be used instead. */
serviceAccountRef?: {
/** @description Audience specifies the `aud` claim for the service account token
* If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
* then this audiences will be appended to the list */
audiences?: string[];
/** @description The name of the ServiceAccount resource being referred to. */
name: string;
/** @description Namespace of the resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description Reference to a Secret that contains the details
* to authenticate with Akeyless. */
secretRef?: {
/** @description The SecretAccessID is used for authentication */
accessID?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description A reference to a specific 'key' within a Secret resource.
* In some instances, `key` is a required field. */
accessType?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description A reference to a specific 'key' within a Secret resource.
* In some instances, `key` is a required field. */
accessTypeParam?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/**
* Format: byte
* @description PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
* if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
* are used to validate the TLS connection.
*/
caBundle?: string;
/** @description The provider for the CA bundle to use to validate Akeyless Gateway certificate. */
caProvider?: {
/** @description The key where the CA certificate can be found in the Secret or ConfigMap. */
key?: string;
/** @description The name of the object located at the provider type. */
name: string;
/** @description The namespace the Provider type is in. */
namespace?: string;
/** @description The type of provider to use such as "Secret", or "ConfigMap". */
type: string;
};
};
/** @description Alibaba configures this store to sync secrets using Alibaba Cloud provider */
alibaba?: {
/** @description AlibabaAuth contains a secretRef for credentials. */
auth: {
/** @description Authenticate against Alibaba using RRSA. */
rrsa?: {
oidcProviderArn: string;
oidcTokenFilePath: string;
roleArn: string;
sessionName: string;
};
/** @description AlibabaAuthSecretRef holds secret references for Alibaba credentials. */
secretRef?: {
/** @description The AccessKeyID is used for authentication */
accessKeyIDSecretRef: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description The AccessKeySecret is used for authentication */
accessKeySecretSecretRef: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/** @description Alibaba Region to be used for the provider */
regionID: string;
};
/** @description AWS configures this store to sync secrets using AWS Secret Manager provider */
aws?: {
/** @description Auth defines the information necessary to authenticate against AWS
* if not set aws sdk will infer credentials from your environment
* see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials */
auth?: {
/** @description Authenticate against AWS using service account tokens. */
jwt?: {
/** @description A reference to a ServiceAccount resource. */
serviceAccountRef?: {
/** @description Audience specifies the `aud` claim for the service account token
* If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
* then this audiences will be appended to the list */
audiences?: string[];
/** @description The name of the ServiceAccount resource being referred to. */
name: string;
/** @description Namespace of the resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description AWSAuthSecretRef holds secret references for AWS credentials
* both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. */
secretRef?: {
/** @description The AccessKeyID is used for authentication */
accessKeyIDSecretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description The SecretAccessKey is used for authentication */
secretAccessKeySecretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/** @description AWS Region to be used for the provider */
region: string;
/** @description Role is a Role ARN which the SecretManager provider will assume */
role?: string;
/** @description Service defines which service should be used to fetch the secrets */
service: string;
};
/** @description AzureKV configures this store to sync secrets using Azure Key Vault provider */
azurekv?: {
/** @description Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. */
authSecretRef?: {
/** @description The Azure clientId of the service principle used for authentication. */
clientId?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description The Azure ClientSecret of the service principle used for authentication. */
clientSecret?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description Auth type defines how to authenticate to the keyvault service.
* Valid values are:
* - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
* - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) */
authType?: string;
/** @description If multiple Managed Identity is assigned to the pod, you can select the one to be used */
identityId?: string;
/** @description ServiceAccountRef specified the service account
* that should be used when authenticating with WorkloadIdentity. */
serviceAccountRef?: {
/** @description Audience specifies the `aud` claim for the service account token
* If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
* then this audiences will be appended to the list */
audiences?: string[];
/** @description The name of the ServiceAccount resource being referred to. */
name: string;
/** @description Namespace of the resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. */
tenantId?: string;
/** @description Vault Url from which the secrets to be fetched from. */
vaultUrl: string;
};
/** @description Fake configures a store with static key/value pairs */
fake?: {
data: {
key: string;
value?: string;
valueMap?: {
[key: string]: string;
};
version?: string;
}[];
};
/** @description GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider */
gcpsm?: {
/** @description Auth defines the information necessary to authenticate against GCP */
auth?: {
secretRef?: {
/** @description The SecretAccessKey is used for authentication */
secretAccessKeySecretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
workloadIdentity?: {
clusterLocation: string;
clusterName: string;
clusterProjectID?: string;
/** @description A reference to a ServiceAccount resource. */
serviceAccountRef: {
/** @description Audience specifies the `aud` claim for the service account token
* If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
* then this audiences will be appended to the list */
audiences?: string[];
/** @description The name of the ServiceAccount resource being referred to. */
name: string;
/** @description Namespace of the resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/** @description ProjectID project where secret is located */
projectID?: string;
};
/** @description GitLab configures this store to sync secrets using GitLab Variables provider */
gitlab?: {
/** @description Auth configures how secret-manager authenticates with a GitLab instance. */
auth: {
SecretRef: {
/** @description AccessToken is used for authentication. */
accessToken?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/** @description ProjectID specifies a project where secrets are located. */
projectID?: string;
/** @description URL configures the GitLab instance URL. Defaults to https://gitlab.com/. */
url?: string;
};
/** @description IBM configures this store to sync secrets using IBM Cloud provider */
ibm?: {
/** @description Auth configures how secret-manager authenticates with the IBM secrets manager. */
auth: {
secretRef: {
/** @description The SecretAccessKey is used for authentication */
secretApiKeySecretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/** @description ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance */
serviceUrl?: string;
};
/** @description Kubernetes configures this store to sync secrets using a Kubernetes cluster provider */
kubernetes?: {
/** @description Auth configures how secret-manager authenticates with a Kubernetes instance. */
auth: {
/** @description has both clientCert and clientKey as secretKeySelector */
cert?: {
/** @description A reference to a specific 'key' within a Secret resource.
* In some instances, `key` is a required field. */
clientCert?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description A reference to a specific 'key' within a Secret resource.
* In some instances, `key` is a required field. */
clientKey?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description points to a service account that should be used for authentication */
serviceAccount?: {
/** @description A reference to a ServiceAccount resource. */
serviceAccount?: {
/** @description Audience specifies the `aud` claim for the service account token
* If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
* then this audiences will be appended to the list */
audiences?: string[];
/** @description The name of the ServiceAccount resource being referred to. */
name: string;
/** @description Namespace of the resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description use static token to authenticate with */
token?: {
/** @description A reference to a specific 'key' within a Secret resource.
* In some instances, `key` is a required field. */
bearerToken?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/** @description Remote namespace to fetch the secrets from */
remoteNamespace?: string;
/** @description configures the Kubernetes server Address. */
server?: {
/**
* Format: byte
* @description CABundle is a base64-encoded CA certificate
*/
caBundle?: string;
/** @description see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider */
caProvider?: {
/** @description The key where the CA certificate can be found in the Secret or ConfigMap. */
key?: string;
/** @description The name of the object located at the provider type. */
name: string;
/** @description The namespace the Provider type is in. */
namespace?: string;
/** @description The type of provider to use such as "Secret", or "ConfigMap". */
type: string;
};
/** @description configures the Kubernetes server Address. */
url?: string;
};
};
/** @description Oracle configures this store to sync secrets using Oracle Vault provider */
oracle?: {
/** @description Auth configures how secret-manager authenticates with the Oracle Vault.
* If empty, instance principal is used. Optionally, the authenticating principal type
* and/or user data may be supplied for the use of workload identity and user principal. */
auth?: {
/** @description SecretRef to pass through sensitive information. */
secretRef: {
/** @description Fingerprint is the fingerprint of the API private key. */
fingerprint: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description PrivateKey is the user's API Signing Key in PEM format, used for authentication. */
privatekey: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description Tenancy is the tenancy OCID where user is located. */
tenancy: string;
/** @description User is an access OCID specific to the account. */
user: string;
};
/** @description Compartment is the vault compartment OCID.
* Required for PushSecret */
compartment?: string;
/** @description EncryptionKey is the OCID of the encryption key within the vault.
* Required for PushSecret */
encryptionKey?: string;
/** @description The type of principal to use for authentication. If left blank, the Auth struct will
* determine the principal type. This optional field must be specified if using
* workload identity. */
principalType?: string;
/** @description Region is the region where vault is located. */
region: string;
/** @description ServiceAccountRef specified the service account
* that should be used when authenticating with WorkloadIdentity. */
serviceAccountRef?: {
/** @description Audience specifies the `aud` claim for the service account token
* If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
* then this audiences will be appended to the list */
audiences?: string[];
/** @description The name of the ServiceAccount resource being referred to. */
name: string;
/** @description Namespace of the resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description Vault is the vault's OCID of the specific vault where secret is located. */
vault: string;
};
/** @description Configures a store to sync secrets with a Password Depot instance. */
passworddepot?: {
/** @description Auth configures how secret-manager authenticates with a Password Depot instance. */
auth: {
secretRef: {
/** @description Username / Password is used for authentication. */
credentials?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/** @description Database to use as source */
database: string;
/** @description URL configures the Password Depot instance URL. */
host: string;
};
/** @description Vault configures this store to sync secrets using Hashi provider */
vault?: {
/** @description Auth configures how secret-manager authenticates with the Vault server. */
auth: {
/** @description AppRole authenticates with Vault using the App Role auth mechanism,
* with the role and secret stored in a Kubernetes Secret resource. */
appRole?: {
/** @description Path where the App Role authentication backend is mounted
* in Vault, e.g: "approle" */
path: string;
/** @description RoleID configured in the App Role authentication backend when setting
* up the authentication backend in Vault. */
roleId: string;
/** @description Reference to a key in a Secret that contains the App Role secret used
* to authenticate with Vault.
* The `key` field must be specified and denotes which entry within the Secret
* resource is used as the app role secret. */
secretRef: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
* Cert authentication method */
cert?: {
/** @description ClientCert is a certificate to authenticate using the Cert Vault
* authentication method */
clientCert?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description SecretRef to a key in a Secret resource containing client private key to
* authenticate with Vault using the Cert authentication method */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description Jwt authenticates with Vault by passing role and JWT token using the
* JWT/OIDC authentication method */
jwt?: {
/** @description Optional ServiceAccountToken specifies the Kubernetes service account for which to request
* a token for with the `TokenRequest` API. */
kubernetesServiceAccountToken?: {
/** @description Optional audiences field that will be used to request a temporary Kubernetes service
* account token for the service account referenced by `serviceAccountRef`.
* Defaults to a single audience `vault` it not specified. */
audiences?: string[];
/**
* Format: int64
* @description Optional expiration time in seconds that will be used to request a temporary
* Kubernetes service account token for the service account referenced by
* `serviceAccountRef`.
* Defaults to 10 minutes.
*/
expirationSeconds?: number;
/** @description Service account field containing the name of a kubernetes ServiceAccount. */
serviceAccountRef: {
/** @description Audience specifies the `aud` claim for the service account token
* If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
* then this audiences will be appended to the list */
audiences?: string[];
/** @description The name of the ServiceAccount resource being referred to. */
name: string;
/** @description Namespace of the resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description Path where the JWT authentication backend is mounted
* in Vault, e.g: "jwt" */
path: string;
/** @description Role is a JWT role to authenticate using the JWT/OIDC Vault
* authentication method */
role?: string;
/** @description Optional SecretRef that refers to a key in a Secret resource containing JWT token to
* authenticate with Vault using the JWT/OIDC authentication method. */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description Kubernetes authenticates with Vault by passing the ServiceAccount
* token stored in the named Secret resource to the Vault server. */
kubernetes?: {
/** @description Path where the Kubernetes authentication backend is mounted in Vault, e.g:
* "kubernetes" */
mountPath: string;
/** @description A required field containing the Vault Role to assume. A Role binds a
* Kubernetes ServiceAccount with a set of Vault policies. */
role: string;
/** @description Optional secret field containing a Kubernetes ServiceAccount JWT used
* for authenticating with Vault. If a name is specified without a key,
* `token` is the default. If one is not specified, the one bound to
* the controller will be used. */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description Optional service account field containing the name of a kubernetes ServiceAccount.
* If the service account is specified, the service account secret token JWT will be used
* for authenticating with Vault. If the service account selector is not supplied,
* the secretRef will be used instead. */
serviceAccountRef?: {
/** @description Audience specifies the `aud` claim for the service account token
* If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
* then this audiences will be appended to the list */
audiences?: string[];
/** @description The name of the ServiceAccount resource being referred to. */
name: string;
/** @description Namespace of the resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description Ldap authenticates with Vault by passing username/password pair using
* the LDAP authentication method */
ldap?: {
/** @description Path where the LDAP authentication backend is mounted
* in Vault, e.g: "ldap" */
path: string;
/** @description SecretRef to a key in a Secret resource containing password for the LDAP
* user used to authenticate with Vault