UNPKG

cdktf-crd

Version:
690 lines (689 loc) 133 kB
import { Manifest, type ManifestConfig } from "@cdktf/provider-kubernetes/lib/manifest"; import { Construct } from "constructs"; export declare class KubernetesSecretStoreV1beta1Manifest extends Manifest { constructor(scope: Construct, id: string, config: KubernetesSecretStoreV1beta1ManifestConfig); } export interface KubernetesSecretStoreV1beta1ManifestConfig extends ManifestConfig { manifest: { apiVersion?: "external-secrets.io/v1beta1"; kind?: "SecretStore"; metadata: { annotations?: { [key: string]: string; }; labels?: { [key: string]: string; }; name: string; namespace?: string; }; /** @description SecretStoreSpec defines the desired state of SecretStore. */ spec?: { /** @description Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore */ conditions?: { /** @description Choose namespaces by using regex matching */ namespaceRegexes?: string[]; /** @description Choose namespace using a labelSelector */ namespaceSelector?: { /** @description matchExpressions is a list of label selector requirements. The requirements are ANDed. */ matchExpressions?: { /** @description key is the label key that the selector applies to. */ key: string; /** @description operator represents a key's relationship to a set of values. * Valid operators are In, NotIn, Exists and DoesNotExist. */ operator: string; /** @description values is an array of string values. If the operator is In or NotIn, * the values array must be non-empty. If the operator is Exists or DoesNotExist, * the values array must be empty. This array is replaced during a strategic * merge patch. */ values?: string[]; }[]; /** @description matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels * map is equivalent to an element of matchExpressions, whose key field is "key", the * operator is "In", and the values array contains only "value". The requirements are ANDed. */ matchLabels?: { [key: string]: string; }; }; /** @description Choose namespaces by name */ namespaces?: string[]; }[]; /** @description Used to select the correct ESO controller (think: ingress.ingressClassName) * The ESO controller is instantiated with a specific controller name and filters ES based on this property */ controller?: string; /** @description Used to configure the provider. Only one provider may be set */ provider: { /** @description Akeyless configures this store to sync secrets using Akeyless Vault provider */ akeyless?: { /** @description Akeyless GW API Url from which the secrets to be fetched from. */ akeylessGWApiURL: string; /** @description Auth configures how the operator authenticates with Akeyless. */ authSecretRef: { /** @description Kubernetes authenticates with Akeyless by passing the ServiceAccount * token stored in the named Secret resource. */ kubernetesAuth?: { /** @description the Akeyless Kubernetes auth-method access-id */ accessID: string; /** @description Kubernetes-auth configuration name in Akeyless-Gateway */ k8sConfName: string; /** @description Optional secret field containing a Kubernetes ServiceAccount JWT used * for authenticating with Akeyless. If a name is specified without a key, * `token` is the default. If one is not specified, the one bound to * the controller will be used. */ secretRef?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description Optional service account field containing the name of a kubernetes ServiceAccount. * If the service account is specified, the service account secret token JWT will be used * for authenticating with Akeyless. If the service account selector is not supplied, * the secretRef will be used instead. */ serviceAccountRef?: { /** @description Audience specifies the `aud` claim for the service account token * If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity * then this audiences will be appended to the list */ audiences?: string[]; /** @description The name of the ServiceAccount resource being referred to. */ name: string; /** @description Namespace of the resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; }; /** @description Reference to a Secret that contains the details * to authenticate with Akeyless. */ secretRef?: { /** @description The SecretAccessID is used for authentication */ accessID?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description A reference to a specific 'key' within a Secret resource. * In some instances, `key` is a required field. */ accessType?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description A reference to a specific 'key' within a Secret resource. * In some instances, `key` is a required field. */ accessTypeParam?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; }; }; /** * Format: byte * @description PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used * if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates * are used to validate the TLS connection. */ caBundle?: string; /** @description The provider for the CA bundle to use to validate Akeyless Gateway certificate. */ caProvider?: { /** @description The key where the CA certificate can be found in the Secret or ConfigMap. */ key?: string; /** @description The name of the object located at the provider type. */ name: string; /** @description The namespace the Provider type is in. * Can only be defined when used in a ClusterSecretStore. */ namespace?: string; /** @description The type of provider to use such as "Secret", or "ConfigMap". */ type: string; }; }; /** @description Alibaba configures this store to sync secrets using Alibaba Cloud provider */ alibaba?: { /** @description AlibabaAuth contains a secretRef for credentials. */ auth: { /** @description Authenticate against Alibaba using RRSA. */ rrsa?: { oidcProviderArn: string; oidcTokenFilePath: string; roleArn: string; sessionName: string; }; /** @description AlibabaAuthSecretRef holds secret references for Alibaba credentials. */ secretRef?: { /** @description The AccessKeyID is used for authentication */ accessKeyIDSecretRef: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description The AccessKeySecret is used for authentication */ accessKeySecretSecretRef: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; }; }; /** @description Alibaba Region to be used for the provider */ regionID: string; }; /** @description AWS configures this store to sync secrets using AWS Secret Manager provider */ aws?: { /** @description AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role */ additionalRoles?: string[]; /** @description Auth defines the information necessary to authenticate against AWS * if not set aws sdk will infer credentials from your environment * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials */ auth?: { /** @description Authenticate against AWS using service account tokens. */ jwt?: { /** @description A reference to a ServiceAccount resource. */ serviceAccountRef?: { /** @description Audience specifies the `aud` claim for the service account token * If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity * then this audiences will be appended to the list */ audiences?: string[]; /** @description The name of the ServiceAccount resource being referred to. */ name: string; /** @description Namespace of the resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; }; /** @description AWSAuthSecretRef holds secret references for AWS credentials * both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. */ secretRef?: { /** @description The AccessKeyID is used for authentication */ accessKeyIDSecretRef?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description The SecretAccessKey is used for authentication */ secretAccessKeySecretRef?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description The SessionToken used for authentication * This must be defined if AccessKeyID and SecretAccessKey are temporary credentials * see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html */ sessionTokenSecretRef?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; }; }; /** @description AWS External ID set on assumed IAM roles */ externalID?: string; /** @description Prefix adds a prefix to all retrieved values. */ prefix?: string; /** @description AWS Region to be used for the provider */ region: string; /** @description Role is a Role ARN which the provider will assume */ role?: string; /** @description SecretsManager defines how the provider behaves when interacting with AWS SecretsManager */ secretsManager?: { /** @description Specifies whether to delete the secret without any recovery window. You * can't use both this parameter and RecoveryWindowInDays in the same call. * If you don't use either, then by default Secrets Manager uses a 30 day * recovery window. * see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery */ forceDeleteWithoutRecovery?: boolean; /** * Format: int64 * @description The number of days from 7 to 30 that Secrets Manager waits before * permanently deleting the secret. You can't use both this parameter and * ForceDeleteWithoutRecovery in the same call. If you don't use either, * then by default Secrets Manager uses a 30 day recovery window. * see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays */ recoveryWindowInDays?: number; }; /** @description Service defines which service should be used to fetch the secrets */ service: string; /** @description AWS STS assume role session tags */ sessionTags?: { key: string; value: string; }[]; /** @description AWS STS assume role transitive session tags. Required when multiple rules are used with the provider */ transitiveTagKeys?: string[]; }; /** @description AzureKV configures this store to sync secrets using Azure Key Vault provider */ azurekv?: { /** @description Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. */ authSecretRef?: { /** @description The Azure ClientCertificate of the service principle used for authentication. */ clientCertificate?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description The Azure clientId of the service principle or managed identity used for authentication. */ clientId?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description The Azure ClientSecret of the service principle used for authentication. */ clientSecret?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description The Azure tenantId of the managed identity used for authentication. */ tenantId?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; }; /** @description Auth type defines how to authenticate to the keyvault service. * Valid values are: * - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) * - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) */ authType?: string; /** @description EnvironmentType specifies the Azure cloud environment endpoints to use for * connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. * The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 * PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud */ environmentType?: string; /** @description If multiple Managed Identity is assigned to the pod, you can select the one to be used */ identityId?: string; /** @description ServiceAccountRef specified the service account * that should be used when authenticating with WorkloadIdentity. */ serviceAccountRef?: { /** @description Audience specifies the `aud` claim for the service account token * If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity * then this audiences will be appended to the list */ audiences?: string[]; /** @description The name of the ServiceAccount resource being referred to. */ name: string; /** @description Namespace of the resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity. */ tenantId?: string; /** @description Vault Url from which the secrets to be fetched from. */ vaultUrl: string; }; /** @description Beyondtrust configures this store to sync secrets using Password Safe provider. */ beyondtrust?: { /** @description Auth configures how the operator authenticates with Beyondtrust. */ auth: { /** @description APIKey If not provided then ClientID/ClientSecret become required. */ apiKey?: { /** @description SecretRef references a key in a secret that will be used as value. */ secretRef?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description Value can be specified directly to set a value without using a secret. */ value?: string; }; /** @description Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate. */ certificate?: { /** @description SecretRef references a key in a secret that will be used as value. */ secretRef?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description Value can be specified directly to set a value without using a secret. */ value?: string; }; /** @description Certificate private key (key.pem). For use when authenticating with an OAuth client Id */ certificateKey?: { /** @description SecretRef references a key in a secret that will be used as value. */ secretRef?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description Value can be specified directly to set a value without using a secret. */ value?: string; }; /** @description ClientID is the API OAuth Client ID. */ clientId?: { /** @description SecretRef references a key in a secret that will be used as value. */ secretRef?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description Value can be specified directly to set a value without using a secret. */ value?: string; }; /** @description ClientSecret is the API OAuth Client Secret. */ clientSecret?: { /** @description SecretRef references a key in a secret that will be used as value. */ secretRef?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description Value can be specified directly to set a value without using a secret. */ value?: string; }; }; /** @description Auth configures how API server works. */ server: { apiUrl: string; /** @description Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds. */ clientTimeOutSeconds?: number; /** @description The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system. */ retrievalType?: string; /** @description A character that separates the folder names. */ separator?: string; verifyCA: boolean; }; }; /** @description BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider */ bitwardensecretsmanager?: { apiURL?: string; /** @description Auth configures how secret-manager authenticates with a bitwarden machine account instance. * Make sure that the token being used has permissions on the given secret. */ auth: { /** @description BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance. */ secretRef: { /** @description AccessToken used for the bitwarden instance. */ credentials: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; }; }; bitwardenServerSDKURL?: string; /** @description Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack * can be performed. */ caBundle?: string; /** @description see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider */ caProvider?: { /** @description The key where the CA certificate can be found in the Secret or ConfigMap. */ key?: string; /** @description The name of the object located at the provider type. */ name: string; /** @description The namespace the Provider type is in. * Can only be defined when used in a ClusterSecretStore. */ namespace?: string; /** @description The type of provider to use such as "Secret", or "ConfigMap". */ type: string; }; identityURL?: string; /** @description OrganizationID determines which organization this secret store manages. */ organizationID: string; /** @description ProjectID determines which project this secret store manages. */ projectID: string; }; /** @description Chef configures this store to sync secrets with chef server */ chef?: { /** @description Auth defines the information necessary to authenticate against chef Server */ auth: { /** @description ChefAuthSecretRef holds secret references for chef server login credentials. */ secretRef: { /** @description SecretKey is the Signing Key in PEM format, used for authentication. */ privateKeySecretRef: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; }; }; /** @description ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/" */ serverUrl: string; /** @description UserName should be the user ID on the chef server */ username: string; }; /** @description Conjur configures this store to sync secrets using conjur provider */ conjur?: { auth: { apikey?: { account: string; /** @description A reference to a specific 'key' within a Secret resource. * In some instances, `key` is a required field. */ apiKeyRef: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description A reference to a specific 'key' within a Secret resource. * In some instances, `key` is a required field. */ userRef: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; }; jwt?: { account: string; /** @description Optional HostID for JWT authentication. This may be used depending * on how the Conjur JWT authenticator policy is configured. */ hostId?: string; /** @description Optional SecretRef that refers to a key in a Secret resource containing JWT token to * authenticate with Conjur using the JWT authentication method. */ secretRef?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description Optional ServiceAccountRef specifies the Kubernetes service account for which to request * a token for with the `TokenRequest` API. */ serviceAccountRef?: { /** @description Audience specifies the `aud` claim for the service account token * If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity * then this audiences will be appended to the list */ audiences?: string[]; /** @description The name of the ServiceAccount resource being referred to. */ name: string; /** @description Namespace of the resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description The conjur authn jwt webservice id */ serviceID: string; }; }; caBundle?: string; /** @description Used to provide custom certificate authority (CA) certificates * for a secret store. The CAProvider points to a Secret or ConfigMap resource * that contains a PEM-encoded certificate. */ caProvider?: { /** @description The key where the CA certificate can be found in the Secret or ConfigMap. */ key?: string; /** @description The name of the object located at the provider type. */ name: string; /** @description The namespace the Provider type is in. * Can only be defined when used in a ClusterSecretStore. */ namespace?: string; /** @description The type of provider to use such as "Secret", or "ConfigMap". */ type: string; }; url: string; }; /** @description Delinea DevOps Secrets Vault * https://docs.delinea.com/online-help/products/devops-secrets-vault/current */ delinea?: { /** @description ClientID is the non-secret part of the credential. */ clientId: { /** @description SecretRef references a key in a secret that will be used as value. */ secretRef?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description Value can be specified directly to set a value without using a secret. */ value?: string; }; /** @description ClientSecret is the secret part of the credential. */ clientSecret: { /** @description SecretRef references a key in a secret that will be used as value. */ secretRef?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; /** @description Value can be specified directly to set a value without using a secret. */ value?: string; }; /** @description Tenant is the chosen hostname / site name. */ tenant: string; /** @description TLD is based on the server location that was chosen during provisioning. * If unset, defaults to "com". */ tld?: string; /** @description URLTemplate * If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". */ urlTemplate?: string; }; /** @description Device42 configures this store to sync secrets using the Device42 provider */ device42?: { /** @description Auth configures how secret-manager authenticates with a Device42 instance. */ auth: { secretRef: { /** @description Username / Password is used for authentication. */ credentials?: { /** @description A key in the referenced Secret. * Some instances of this field may be defaulted, in others it may be required. */ key?: string; /** @description The name of the Secret resource being referred to. */ name?: string; /** @description The namespace of the Secret resource being referred to. * Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. */ namespace?: string; }; }; }; /** @description URL configures the Device42 instance URL. */ host: string; }; /** @description Doppler configures this store to sync secrets using the Doppler provider */ doppler?: { /** @description Auth configures how the Operator authenticates with the Doppler API */