cdktf-crd
Version:
690 lines (689 loc) • 133 kB
TypeScript
import { Manifest, type ManifestConfig } from "@cdktf/provider-kubernetes/lib/manifest";
import { Construct } from "constructs";
export declare class KubernetesSecretStoreV1beta1Manifest extends Manifest {
constructor(scope: Construct, id: string, config: KubernetesSecretStoreV1beta1ManifestConfig);
}
export interface KubernetesSecretStoreV1beta1ManifestConfig extends ManifestConfig {
manifest: {
apiVersion?: "external-secrets.io/v1beta1";
kind?: "SecretStore";
metadata: {
annotations?: {
[key: string]: string;
};
labels?: {
[key: string]: string;
};
name: string;
namespace?: string;
};
/** @description SecretStoreSpec defines the desired state of SecretStore. */
spec?: {
/** @description Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore */
conditions?: {
/** @description Choose namespaces by using regex matching */
namespaceRegexes?: string[];
/** @description Choose namespace using a labelSelector */
namespaceSelector?: {
/** @description matchExpressions is a list of label selector requirements. The requirements are ANDed. */
matchExpressions?: {
/** @description key is the label key that the selector applies to. */
key: string;
/** @description operator represents a key's relationship to a set of values.
* Valid operators are In, NotIn, Exists and DoesNotExist. */
operator: string;
/** @description values is an array of string values. If the operator is In or NotIn,
* the values array must be non-empty. If the operator is Exists or DoesNotExist,
* the values array must be empty. This array is replaced during a strategic
* merge patch. */
values?: string[];
}[];
/** @description matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
* map is equivalent to an element of matchExpressions, whose key field is "key", the
* operator is "In", and the values array contains only "value". The requirements are ANDed. */
matchLabels?: {
[key: string]: string;
};
};
/** @description Choose namespaces by name */
namespaces?: string[];
}[];
/** @description Used to select the correct ESO controller (think: ingress.ingressClassName)
* The ESO controller is instantiated with a specific controller name and filters ES based on this property */
controller?: string;
/** @description Used to configure the provider. Only one provider may be set */
provider: {
/** @description Akeyless configures this store to sync secrets using Akeyless Vault provider */
akeyless?: {
/** @description Akeyless GW API Url from which the secrets to be fetched from. */
akeylessGWApiURL: string;
/** @description Auth configures how the operator authenticates with Akeyless. */
authSecretRef: {
/** @description Kubernetes authenticates with Akeyless by passing the ServiceAccount
* token stored in the named Secret resource. */
kubernetesAuth?: {
/** @description the Akeyless Kubernetes auth-method access-id */
accessID: string;
/** @description Kubernetes-auth configuration name in Akeyless-Gateway */
k8sConfName: string;
/** @description Optional secret field containing a Kubernetes ServiceAccount JWT used
* for authenticating with Akeyless. If a name is specified without a key,
* `token` is the default. If one is not specified, the one bound to
* the controller will be used. */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description Optional service account field containing the name of a kubernetes ServiceAccount.
* If the service account is specified, the service account secret token JWT will be used
* for authenticating with Akeyless. If the service account selector is not supplied,
* the secretRef will be used instead. */
serviceAccountRef?: {
/** @description Audience specifies the `aud` claim for the service account token
* If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
* then this audiences will be appended to the list */
audiences?: string[];
/** @description The name of the ServiceAccount resource being referred to. */
name: string;
/** @description Namespace of the resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description Reference to a Secret that contains the details
* to authenticate with Akeyless. */
secretRef?: {
/** @description The SecretAccessID is used for authentication */
accessID?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description A reference to a specific 'key' within a Secret resource.
* In some instances, `key` is a required field. */
accessType?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description A reference to a specific 'key' within a Secret resource.
* In some instances, `key` is a required field. */
accessTypeParam?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/**
* Format: byte
* @description PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
* if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
* are used to validate the TLS connection.
*/
caBundle?: string;
/** @description The provider for the CA bundle to use to validate Akeyless Gateway certificate. */
caProvider?: {
/** @description The key where the CA certificate can be found in the Secret or ConfigMap. */
key?: string;
/** @description The name of the object located at the provider type. */
name: string;
/** @description The namespace the Provider type is in.
* Can only be defined when used in a ClusterSecretStore. */
namespace?: string;
/** @description The type of provider to use such as "Secret", or "ConfigMap". */
type: string;
};
};
/** @description Alibaba configures this store to sync secrets using Alibaba Cloud provider */
alibaba?: {
/** @description AlibabaAuth contains a secretRef for credentials. */
auth: {
/** @description Authenticate against Alibaba using RRSA. */
rrsa?: {
oidcProviderArn: string;
oidcTokenFilePath: string;
roleArn: string;
sessionName: string;
};
/** @description AlibabaAuthSecretRef holds secret references for Alibaba credentials. */
secretRef?: {
/** @description The AccessKeyID is used for authentication */
accessKeyIDSecretRef: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description The AccessKeySecret is used for authentication */
accessKeySecretSecretRef: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/** @description Alibaba Region to be used for the provider */
regionID: string;
};
/** @description AWS configures this store to sync secrets using AWS Secret Manager provider */
aws?: {
/** @description AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role */
additionalRoles?: string[];
/** @description Auth defines the information necessary to authenticate against AWS
* if not set aws sdk will infer credentials from your environment
* see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials */
auth?: {
/** @description Authenticate against AWS using service account tokens. */
jwt?: {
/** @description A reference to a ServiceAccount resource. */
serviceAccountRef?: {
/** @description Audience specifies the `aud` claim for the service account token
* If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
* then this audiences will be appended to the list */
audiences?: string[];
/** @description The name of the ServiceAccount resource being referred to. */
name: string;
/** @description Namespace of the resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description AWSAuthSecretRef holds secret references for AWS credentials
* both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. */
secretRef?: {
/** @description The AccessKeyID is used for authentication */
accessKeyIDSecretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description The SecretAccessKey is used for authentication */
secretAccessKeySecretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description The SessionToken used for authentication
* This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
* see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html */
sessionTokenSecretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/** @description AWS External ID set on assumed IAM roles */
externalID?: string;
/** @description Prefix adds a prefix to all retrieved values. */
prefix?: string;
/** @description AWS Region to be used for the provider */
region: string;
/** @description Role is a Role ARN which the provider will assume */
role?: string;
/** @description SecretsManager defines how the provider behaves when interacting with AWS SecretsManager */
secretsManager?: {
/** @description Specifies whether to delete the secret without any recovery window. You
* can't use both this parameter and RecoveryWindowInDays in the same call.
* If you don't use either, then by default Secrets Manager uses a 30 day
* recovery window.
* see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery */
forceDeleteWithoutRecovery?: boolean;
/**
* Format: int64
* @description The number of days from 7 to 30 that Secrets Manager waits before
* permanently deleting the secret. You can't use both this parameter and
* ForceDeleteWithoutRecovery in the same call. If you don't use either,
* then by default Secrets Manager uses a 30 day recovery window.
* see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
*/
recoveryWindowInDays?: number;
};
/** @description Service defines which service should be used to fetch the secrets */
service: string;
/** @description AWS STS assume role session tags */
sessionTags?: {
key: string;
value: string;
}[];
/** @description AWS STS assume role transitive session tags. Required when multiple rules are used with the provider */
transitiveTagKeys?: string[];
};
/** @description AzureKV configures this store to sync secrets using Azure Key Vault provider */
azurekv?: {
/** @description Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. */
authSecretRef?: {
/** @description The Azure ClientCertificate of the service principle used for authentication. */
clientCertificate?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description The Azure clientId of the service principle or managed identity used for authentication. */
clientId?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description The Azure ClientSecret of the service principle used for authentication. */
clientSecret?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description The Azure tenantId of the managed identity used for authentication. */
tenantId?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
/** @description Auth type defines how to authenticate to the keyvault service.
* Valid values are:
* - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
* - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) */
authType?: string;
/** @description EnvironmentType specifies the Azure cloud environment endpoints to use for
* connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
* The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
* PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud */
environmentType?: string;
/** @description If multiple Managed Identity is assigned to the pod, you can select the one to be used */
identityId?: string;
/** @description ServiceAccountRef specified the service account
* that should be used when authenticating with WorkloadIdentity. */
serviceAccountRef?: {
/** @description Audience specifies the `aud` claim for the service account token
* If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
* then this audiences will be appended to the list */
audiences?: string[];
/** @description The name of the ServiceAccount resource being referred to. */
name: string;
/** @description Namespace of the resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. */
tenantId?: string;
/** @description Vault Url from which the secrets to be fetched from. */
vaultUrl: string;
};
/** @description Beyondtrust configures this store to sync secrets using Password Safe provider. */
beyondtrust?: {
/** @description Auth configures how the operator authenticates with Beyondtrust. */
auth: {
/** @description APIKey If not provided then ClientID/ClientSecret become required. */
apiKey?: {
/** @description SecretRef references a key in a secret that will be used as value. */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description Value can be specified directly to set a value without using a secret. */
value?: string;
};
/** @description Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate. */
certificate?: {
/** @description SecretRef references a key in a secret that will be used as value. */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description Value can be specified directly to set a value without using a secret. */
value?: string;
};
/** @description Certificate private key (key.pem). For use when authenticating with an OAuth client Id */
certificateKey?: {
/** @description SecretRef references a key in a secret that will be used as value. */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description Value can be specified directly to set a value without using a secret. */
value?: string;
};
/** @description ClientID is the API OAuth Client ID. */
clientId?: {
/** @description SecretRef references a key in a secret that will be used as value. */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description Value can be specified directly to set a value without using a secret. */
value?: string;
};
/** @description ClientSecret is the API OAuth Client Secret. */
clientSecret?: {
/** @description SecretRef references a key in a secret that will be used as value. */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description Value can be specified directly to set a value without using a secret. */
value?: string;
};
};
/** @description Auth configures how API server works. */
server: {
apiUrl: string;
/** @description Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds. */
clientTimeOutSeconds?: number;
/** @description The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system. */
retrievalType?: string;
/** @description A character that separates the folder names. */
separator?: string;
verifyCA: boolean;
};
};
/** @description BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider */
bitwardensecretsmanager?: {
apiURL?: string;
/** @description Auth configures how secret-manager authenticates with a bitwarden machine account instance.
* Make sure that the token being used has permissions on the given secret. */
auth: {
/** @description BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. */
secretRef: {
/** @description AccessToken used for the bitwarden instance. */
credentials: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
bitwardenServerSDKURL?: string;
/** @description Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
* can be performed. */
caBundle?: string;
/** @description see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider */
caProvider?: {
/** @description The key where the CA certificate can be found in the Secret or ConfigMap. */
key?: string;
/** @description The name of the object located at the provider type. */
name: string;
/** @description The namespace the Provider type is in.
* Can only be defined when used in a ClusterSecretStore. */
namespace?: string;
/** @description The type of provider to use such as "Secret", or "ConfigMap". */
type: string;
};
identityURL?: string;
/** @description OrganizationID determines which organization this secret store manages. */
organizationID: string;
/** @description ProjectID determines which project this secret store manages. */
projectID: string;
};
/** @description Chef configures this store to sync secrets with chef server */
chef?: {
/** @description Auth defines the information necessary to authenticate against chef Server */
auth: {
/** @description ChefAuthSecretRef holds secret references for chef server login credentials. */
secretRef: {
/** @description SecretKey is the Signing Key in PEM format, used for authentication. */
privateKeySecretRef: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/** @description ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" */
serverUrl: string;
/** @description UserName should be the user ID on the chef server */
username: string;
};
/** @description Conjur configures this store to sync secrets using conjur provider */
conjur?: {
auth: {
apikey?: {
account: string;
/** @description A reference to a specific 'key' within a Secret resource.
* In some instances, `key` is a required field. */
apiKeyRef: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description A reference to a specific 'key' within a Secret resource.
* In some instances, `key` is a required field. */
userRef: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
jwt?: {
account: string;
/** @description Optional HostID for JWT authentication. This may be used depending
* on how the Conjur JWT authenticator policy is configured. */
hostId?: string;
/** @description Optional SecretRef that refers to a key in a Secret resource containing JWT token to
* authenticate with Conjur using the JWT authentication method. */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description Optional ServiceAccountRef specifies the Kubernetes service account for which to request
* a token for with the `TokenRequest` API. */
serviceAccountRef?: {
/** @description Audience specifies the `aud` claim for the service account token
* If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
* then this audiences will be appended to the list */
audiences?: string[];
/** @description The name of the ServiceAccount resource being referred to. */
name: string;
/** @description Namespace of the resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description The conjur authn jwt webservice id */
serviceID: string;
};
};
caBundle?: string;
/** @description Used to provide custom certificate authority (CA) certificates
* for a secret store. The CAProvider points to a Secret or ConfigMap resource
* that contains a PEM-encoded certificate. */
caProvider?: {
/** @description The key where the CA certificate can be found in the Secret or ConfigMap. */
key?: string;
/** @description The name of the object located at the provider type. */
name: string;
/** @description The namespace the Provider type is in.
* Can only be defined when used in a ClusterSecretStore. */
namespace?: string;
/** @description The type of provider to use such as "Secret", or "ConfigMap". */
type: string;
};
url: string;
};
/** @description Delinea DevOps Secrets Vault
* https://docs.delinea.com/online-help/products/devops-secrets-vault/current */
delinea?: {
/** @description ClientID is the non-secret part of the credential. */
clientId: {
/** @description SecretRef references a key in a secret that will be used as value. */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description Value can be specified directly to set a value without using a secret. */
value?: string;
};
/** @description ClientSecret is the secret part of the credential. */
clientSecret: {
/** @description SecretRef references a key in a secret that will be used as value. */
secretRef?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
/** @description Value can be specified directly to set a value without using a secret. */
value?: string;
};
/** @description Tenant is the chosen hostname / site name. */
tenant: string;
/** @description TLD is based on the server location that was chosen during provisioning.
* If unset, defaults to "com". */
tld?: string;
/** @description URLTemplate
* If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". */
urlTemplate?: string;
};
/** @description Device42 configures this store to sync secrets using the Device42 provider */
device42?: {
/** @description Auth configures how secret-manager authenticates with a Device42 instance. */
auth: {
secretRef: {
/** @description Username / Password is used for authentication. */
credentials?: {
/** @description A key in the referenced Secret.
* Some instances of this field may be defaulted, in others it may be required. */
key?: string;
/** @description The name of the Secret resource being referred to. */
name?: string;
/** @description The namespace of the Secret resource being referred to.
* Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */
namespace?: string;
};
};
};
/** @description URL configures the Device42 instance URL. */
host: string;
};
/** @description Doppler configures this store to sync secrets using the Doppler provider */
doppler?: {
/** @description Auth configures how the Operator authenticates with the Doppler API */