From 37e3872d2e69b636de40cfd974acbe6797295e73 Mon Sep 17 00:00:00 2001 From: Thomas Way Date: Mon, 6 Nov 2023 19:29:15 +0000 Subject: [PATCH] feat(k8s/amour): External secrets, Grafana, VM... Remove the 1Password operator, fix rook. --- WORKSPACE | 2 +- .../onepassword-operator/api/v1/BUILD.bazel | 12 + .../api/v1/groupversion_info_go_gen.cue | 8 + .../api/v1/onepassworditem_types_go_gen.cue | 59 + .../api/victoriametrics/v1beta1/BUILD.bazel | 36 + .../v1beta1/additional_go_gen.cue | 339 + .../v1beta1/groupversion_info_go_gen.cue | 8 + .../victoriametrics/v1beta1/owner_go_gen.cue | 31 + .../v1beta1/vmagent_types_go_gen.cue | 157 + .../v1beta1/vmalert_types_go_gen.cue | 127 + .../v1beta1/vmalertmanager_types_go_gen.cue | 77 + .../vmalertmanagerconfig_types_go_gen.cue | 826 ++ .../v1beta1/vmauth_types_go_gen.cue | 83 + .../v1beta1/vmcluster_types_go_gen.cue | 762 ++ .../v1beta1/vmnodescrape_types_go_gen.cue | 142 + .../v1beta1/vmpodscrape_types_go_gen.cue | 189 + .../v1beta1/vmprobe_types_go_gen.cue | 164 + .../v1beta1/vmrule_types_go_gen.cue | 160 + .../v1beta1/vmservicescrape_types_go_gen.cue | 383 + .../v1beta1/vmsingle_types_go_gen.cue | 69 + .../v1beta1/vmstaticscrape_types_go_gen.cue | 147 + .../v1beta1/vmuser_types_go_gen.cue | 188 + .../apis/externalsecrets/v1beta1/BUILD.bazel | 45 + .../clusterexternalsecret_types_go_gen.cue | 108 + .../externalsecrets/v1beta1/doc_go_gen.cue | 9 + .../v1beta1/externalsecret_types_go_gen.cue | 496 + .../externalsecret_validator_go_gen.cue | 20 + .../v1beta1/generic_store_go_gen.cue | 9 + .../v1beta1/provider_go_gen.cue | 40 + .../v1beta1/pushsecret_interfaces_go_gen.cue | 20 + .../v1beta1/register_go_gen.cue | 8 + .../secretsstore_delinea_types_go_gen.cue | 39 + .../secretstore_akeyless_types_go_gen.cue | 70 + .../secretstore_alibaba_types_go_gen.cue | 41 + .../v1beta1/secretstore_aws_types_go_gen.cue | 94 + .../secretstore_azurekv_types_go_gen.cue | 95 + .../secretstore_conjur_types_go_gen.cue | 49 + .../secretstore_doppler_types_go_gen.cue | 43 + .../v1beta1/secretstore_fake_types_go_gen.cue | 17 + .../secretstore_gcpsm_types_go_gen.cue | 38 + .../secretstore_gitlab_types_go_gen.cue | 35 + .../v1beta1/secretstore_ibm_types_go_gen.cue | 39 + ...ecretstore_keepersecurity_types_go_gen.cue | 13 + .../secretstore_kubernetes_types_go_gen.cue | 61 + .../secretstore_onepassword_types_go_gen.cue | 30 + .../secretstore_oracle_types_go_gen.cue | 63 + .../secretstore_scaleway_types_go_gen.cue | 35 + .../secretstore_senhasegura_types_go_gen.cue | 43 + .../v1beta1/secretstore_types_go_gen.cue | 257 + .../v1beta1/secretstore_validator_go_gen.cue | 10 + .../secretstore_vault_types_go_gen.cue | 325 + .../secretstore_webhook_types_go_gen.cue | 92 + ..._yandexcertificatemanager_types_go_gen.cue | 31 + ...secretstore_yandexlockbox_types_go_gen.cue | 31 + .../external-secrets/apis/meta/v1/BUILD.bazel | 11 + .../apis/meta/v1/doc_go_gen.cue | 7 + .../apis/meta/v1/types_go_gen.cue | 39 + .../gen/k8s.io/api/apps/v1/types_go_gen.cue | 1 + .../v1/annotation_key_constants_go_gen.cue | 6 +- .../gen/k8s.io/api/core/v1/types_go_gen.cue | 252 +- .../api/core/v1/well_known_labels_go_gen.cue | 10 +- .../k8s.io/api/networking/v1/types_go_gen.cue | 51 - .../v1/types_jsonschema_go_gen.cue | 47 + cue.mod/gen/pkg.go.dev/net/url/BUILD.bazel | 8 + cue.mod/gen/pkg.go.dev/net/url/url_go_gen.cue | 69 + go.mod | 102 +- go.sum | 839 +- k8s/amour/BUILD.bazel | 6 +- k8s/amour/cluster_secret_store_list.cue | 25 + .../BUILD.bazel | 14 +- .../cluster_role_binding_list.cue | 15 +- .../external_secrets/cluster_role_list.cue | 101 + .../custom_resource_definition_list.cue | 10230 ++++++++++++++ .../deployment_list.cue | 34 +- .../external_secrets/external-secrets.cue | 10968 ++++++++++++++++ k8s/amour/external_secrets/list.cue | 42 + .../namespace_list.cue | 2 +- .../external_secrets/role_binding_list.cue | 25 + k8s/amour/external_secrets/role_list.cue | 30 + .../service_account_list.cue | 2 +- .../external_secrets/webhook/BUILD.bazel | 22 + .../webhook/certificate_list.cue | 27 + .../webhook}/deployment_list.cue | 45 +- .../external_secrets/webhook/issuer_list.cue | 14 + .../webhook}/list.cue | 15 +- .../webhook}/service_account_list.cue | 2 +- .../webhook}/service_list.cue | 6 +- .../validating_webhook_configuration_list.cue | 72 + k8s/amour/grafana/BUILD.bazel | 23 + k8s/amour/grafana/README.md | 5 + k8s/amour/grafana/config_map_list.cue | 70 + k8s/amour/grafana/external_secret_list.cue | 36 + k8s/amour/grafana/list.cue | 39 + .../namespace_list.cue | 2 +- k8s/amour/grafana/service_account_list.cue | 14 + k8s/amour/grafana/service_list.cue | 26 + k8s/amour/grafana/stateful_set_list.cue | 99 + k8s/amour/grafana/vm_service_scrape_list.cue | 19 + k8s/amour/kube_system/BUILD.bazel | 1 + k8s/amour/kube_system/list.cue | 1 + .../kube_system/vm_service_scrape_list.cue | 26 + k8s/amour/list.cue | 9 +- k8s/amour/onepassword_connect/secret_list.cue | 6 +- k8s/amour/onepassword_operator/README.md | 3 - .../cilium_network_policy_list.cue | 52 - .../cluster_role_list.cue | 48 - .../custom_resource_definition_list.cue | 87 - .../onepassword_operator/secret_list.cue | 14 - .../onepassword_secrets_injector/README.md | 3 - .../cilium_network_policy_list.cue | 20 - .../cluster_role_list.cue | 20 - k8s/amour/rook_ceph/ceph_block_pool_list.cue | 14 +- k8s/amour/rook_ceph/ceph_cluster_list.cue | 2 +- k8s/amour/rook_ceph/storage_class_list.cue | 16 +- .../BUILD.bazel | 11 +- k8s/amour/snapshot_controller/README.md | 11 + .../cluster_role_binding_list.cue | 15 +- .../snapshot_controller/cluster_role_list.cue | 49 + .../custom_resource_definition_list.cue | 864 ++ .../snapshot_controller/deployment_list.cue | 42 + .../list.cue | 10 +- .../snapshot_controller/namespace_list.cue | 14 + .../snapshot_controller/role_binding_list.cue | 25 + k8s/amour/snapshot_controller/role_list.cue | 21 + .../service_account_list.cue | 14 + k8s/amour/vm/vm_agent_list.cue | 2 +- k8s/amour/vm/vm_alertmanager_list.cue | 2 +- k8s/amour/vm/vm_cluster_list.cue | 6 +- tools/tools.go | 3 + 129 files changed, 30145 insertions(+), 1013 deletions(-) create mode 100644 cue.mod/gen/github.com/1Password/onepassword-operator/api/v1/BUILD.bazel create mode 100644 cue.mod/gen/github.com/1Password/onepassword-operator/api/v1/groupversion_info_go_gen.cue create mode 100644 cue.mod/gen/github.com/1Password/onepassword-operator/api/v1/onepassworditem_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/BUILD.bazel create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/additional_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/groupversion_info_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/owner_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmagent_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmalert_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmalertmanager_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmalertmanagerconfig_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmauth_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmcluster_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmnodescrape_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmpodscrape_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmprobe_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmrule_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmservicescrape_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmsingle_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmstaticscrape_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmuser_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/BUILD.bazel create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/clusterexternalsecret_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/doc_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/externalsecret_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/externalsecret_validator_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/generic_store_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/provider_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/pushsecret_interfaces_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/register_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretsstore_delinea_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_akeyless_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_alibaba_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_aws_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_azurekv_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_conjur_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_doppler_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_fake_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_gcpsm_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_gitlab_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_ibm_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_keepersecurity_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_kubernetes_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_onepassword_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_oracle_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_scaleway_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_senhasegura_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_validator_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_vault_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_webhook_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_yandexcertificatemanager_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_yandexlockbox_types_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1/BUILD.bazel create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1/doc_go_gen.cue create mode 100644 cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1/types_go_gen.cue create mode 100644 cue.mod/gen/pkg.go.dev/net/url/BUILD.bazel create mode 100644 cue.mod/gen/pkg.go.dev/net/url/url_go_gen.cue create mode 100644 k8s/amour/cluster_secret_store_list.cue rename k8s/amour/{onepassword_operator => external_secrets}/BUILD.bazel (69%) rename k8s/amour/{onepassword_secrets_injector => external_secrets}/cluster_role_binding_list.cue (76%) create mode 100644 k8s/amour/external_secrets/cluster_role_list.cue create mode 100644 k8s/amour/external_secrets/custom_resource_definition_list.cue rename k8s/amour/{onepassword_operator => external_secrets}/deployment_list.cue (51%) create mode 100644 k8s/amour/external_secrets/external-secrets.cue create mode 100644 k8s/amour/external_secrets/list.cue rename k8s/amour/{onepassword_operator => external_secrets}/namespace_list.cue (87%) create mode 100644 k8s/amour/external_secrets/role_binding_list.cue create mode 100644 k8s/amour/external_secrets/role_list.cue rename k8s/amour/{onepassword_operator => external_secrets}/service_account_list.cue (88%) create mode 100644 k8s/amour/external_secrets/webhook/BUILD.bazel create mode 100644 k8s/amour/external_secrets/webhook/certificate_list.cue rename k8s/amour/{onepassword_secrets_injector => external_secrets/webhook}/deployment_list.cue (57%) create mode 100644 k8s/amour/external_secrets/webhook/issuer_list.cue rename k8s/amour/{onepassword_secrets_injector => external_secrets/webhook}/list.cue (63%) rename k8s/amour/{onepassword_secrets_injector => external_secrets/webhook}/service_account_list.cue (86%) rename k8s/amour/{onepassword_secrets_injector => external_secrets/webhook}/service_list.cue (77%) create mode 100644 k8s/amour/external_secrets/webhook/validating_webhook_configuration_list.cue create mode 100644 k8s/amour/grafana/BUILD.bazel create mode 100644 k8s/amour/grafana/README.md create mode 100644 k8s/amour/grafana/config_map_list.cue create mode 100644 k8s/amour/grafana/external_secret_list.cue create mode 100644 k8s/amour/grafana/list.cue rename k8s/amour/{onepassword_secrets_injector => grafana}/namespace_list.cue (84%) create mode 100644 k8s/amour/grafana/service_account_list.cue create mode 100644 k8s/amour/grafana/service_list.cue create mode 100644 k8s/amour/grafana/stateful_set_list.cue create mode 100644 k8s/amour/grafana/vm_service_scrape_list.cue create mode 100644 k8s/amour/kube_system/vm_service_scrape_list.cue delete mode 100644 k8s/amour/onepassword_operator/README.md delete mode 100644 k8s/amour/onepassword_operator/cilium_network_policy_list.cue delete mode 100644 k8s/amour/onepassword_operator/cluster_role_list.cue delete mode 100644 k8s/amour/onepassword_operator/custom_resource_definition_list.cue delete mode 100644 k8s/amour/onepassword_operator/secret_list.cue delete mode 100644 k8s/amour/onepassword_secrets_injector/README.md delete mode 100644 k8s/amour/onepassword_secrets_injector/cilium_network_policy_list.cue delete mode 100644 k8s/amour/onepassword_secrets_injector/cluster_role_list.cue rename k8s/amour/{onepassword_secrets_injector => snapshot_controller}/BUILD.bazel (61%) create mode 100644 k8s/amour/snapshot_controller/README.md rename k8s/amour/{onepassword_operator => snapshot_controller}/cluster_role_binding_list.cue (76%) create mode 100644 k8s/amour/snapshot_controller/cluster_role_list.cue create mode 100644 k8s/amour/snapshot_controller/custom_resource_definition_list.cue create mode 100644 k8s/amour/snapshot_controller/deployment_list.cue rename k8s/amour/{onepassword_operator => snapshot_controller}/list.cue (79%) create mode 100644 k8s/amour/snapshot_controller/namespace_list.cue create mode 100644 k8s/amour/snapshot_controller/role_binding_list.cue create mode 100644 k8s/amour/snapshot_controller/role_list.cue create mode 100644 k8s/amour/snapshot_controller/service_account_list.cue diff --git a/WORKSPACE b/WORKSPACE index fd25aaacf..19cec0335 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -9,7 +9,7 @@ load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_depe go_rules_dependencies() -go_register_toolchains(version = "1.20.4") +go_register_toolchains(version = "1.21.3") load("//:go_deps.bzl", "go_dependencies") diff --git a/cue.mod/gen/github.com/1Password/onepassword-operator/api/v1/BUILD.bazel b/cue.mod/gen/github.com/1Password/onepassword-operator/api/v1/BUILD.bazel new file mode 100644 index 000000000..0f6287715 --- /dev/null +++ b/cue.mod/gen/github.com/1Password/onepassword-operator/api/v1/BUILD.bazel @@ -0,0 +1,12 @@ +load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library") + +cue_library( + name = "cue_v1_library", + srcs = [ + "groupversion_info_go_gen.cue", + "onepassworditem_types_go_gen.cue", + ], + importpath = "github.com/1Password/onepassword-operator/api/v1", + visibility = ["//visibility:public"], + deps = ["//cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1:cue_v1_library"], +) diff --git a/cue.mod/gen/github.com/1Password/onepassword-operator/api/v1/groupversion_info_go_gen.cue b/cue.mod/gen/github.com/1Password/onepassword-operator/api/v1/groupversion_info_go_gen.cue new file mode 100644 index 000000000..1362f20c5 --- /dev/null +++ b/cue.mod/gen/github.com/1Password/onepassword-operator/api/v1/groupversion_info_go_gen.cue @@ -0,0 +1,8 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/1Password/onepassword-operator/api/v1 + +// Package v1 contains API Schema definitions for the v1 API group +// +kubebuilder:object:generate=true +// +groupName=onepassword.com +package v1 diff --git a/cue.mod/gen/github.com/1Password/onepassword-operator/api/v1/onepassworditem_types_go_gen.cue b/cue.mod/gen/github.com/1Password/onepassword-operator/api/v1/onepassworditem_types_go_gen.cue new file mode 100644 index 000000000..e9ca22dc0 --- /dev/null +++ b/cue.mod/gen/github.com/1Password/onepassword-operator/api/v1/onepassworditem_types_go_gen.cue @@ -0,0 +1,59 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/1Password/onepassword-operator/api/v1 + +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// OnePasswordItemSpec defines the desired state of OnePasswordItem +#OnePasswordItemSpec: { + itemPath?: string @go(ItemPath) +} + +#OnePasswordItemConditionType: string // #enumOnePasswordItemConditionType + +#enumOnePasswordItemConditionType: + #OnePasswordItemReady + +// OnePasswordItemReady means the Kubernetes secret is ready for use. +#OnePasswordItemReady: #OnePasswordItemConditionType & "Ready" + +#OnePasswordItemCondition: { + // Type of job condition, Completed. + type: #OnePasswordItemConditionType @go(Type) + + // Status of the condition, one of True, False, Unknown. + status: metav1.#ConditionStatus @go(Status) + + // Last time the condition transit from one status to another. + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) + + // Human-readable message indicating details about last transition. + // +optional + message?: string @go(Message) +} + +// OnePasswordItemStatus defines the observed state of OnePasswordItem +#OnePasswordItemStatus: { + conditions: [...#OnePasswordItemCondition] @go(Conditions,[]OnePasswordItemCondition) +} + +// OnePasswordItem is the Schema for the onepassworditems API +#OnePasswordItem: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + + // Kubernetes secret type. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types + type?: string @go(Type) + spec?: #OnePasswordItemSpec @go(Spec) + status?: #OnePasswordItemStatus @go(Status) +} + +// OnePasswordItemList contains a list of OnePasswordItem +#OnePasswordItemList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#OnePasswordItem] @go(Items,[]OnePasswordItem) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/BUILD.bazel b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/BUILD.bazel new file mode 100644 index 000000000..c89a724ba --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/BUILD.bazel @@ -0,0 +1,36 @@ +load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library") + +cue_library( + name = "cue_v1beta1_library", + srcs = [ + "additional_go_gen.cue", + "groupversion_info_go_gen.cue", + "owner_go_gen.cue", + "vmagent_types_go_gen.cue", + "vmalert_types_go_gen.cue", + "vmalertmanager_types_go_gen.cue", + "vmalertmanagerconfig_types_go_gen.cue", + "vmauth_types_go_gen.cue", + "vmcluster_types_go_gen.cue", + "vmnodescrape_types_go_gen.cue", + "vmpodscrape_types_go_gen.cue", + "vmprobe_types_go_gen.cue", + "vmrule_types_go_gen.cue", + "vmservicescrape_types_go_gen.cue", + "vmsingle_types_go_gen.cue", + "vmstaticscrape_types_go_gen.cue", + "vmuser_types_go_gen.cue", + ], + importpath = "github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1", + visibility = ["//visibility:public"], + deps = [ + "//cue.mod/gen/k8s.io/api/apps/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/api/autoscaling/v2beta2:cue_v2beta2_library", + "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/api/networking/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr:cue_intstr_library", + "//cue.mod/gen/pkg.go.dev/net/url:cue_url_library", + ], +) diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/additional_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/additional_go_gen.cue new file mode 100644 index 000000000..9251792cb --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/additional_go_gen.cue @@ -0,0 +1,339 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import ( + "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/api/autoscaling/v2beta2" +) + +_#vmPathPrefixFlagName: "http.pathPrefix" +_#healthPath: "/health" +_#metricPath: "/metrics" +_#reloadPath: "/-/reload" +_#reloadAuthKey: "reloadAuthKey" +_#snapshotCreate: "/snapshot/create" +_#snapshotDelete: "/snapshot/delete" + +// FinalizerName name of our finalizer. +#FinalizerName: "apps.victoriametrics.com/finalizer" +#SkipValidationAnnotation: "operator.victoriametrics.com/skip-validation" +#SkipValidationValue: "true" +#AdditionalServiceLabel: "operator.victoriametrics.com/additional-service" + +// PVCExpandableLabel controls checks for storageClass +#PVCExpandableLabel: "operator.victoriametrics.com/pvc-allow-volume-expansion" + +// EmbeddedObjectMetadata contains a subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta +// Only fields which are relevant to embedded resources are included. +#EmbeddedObjectMetadata: { + // Name must be unique within a namespace. Is required when creating resources, although + // some resources may allow a client to request the generation of an appropriate name + // automatically. Name is primarily intended for creation idempotence and configuration + // definition. + // Cannot be updated. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names + // +optional + name?: string @go(Name) @protobuf(1,bytes,opt) + + // Labels Map of string keys and values that can be used to organize and categorize + // (scope and select) objects. May match selectors of replication controllers + // and services. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.displayName="PodLabels" + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.x-descriptors="urn:alm:descriptor:com.tectonic.ui:label" + // +optional + labels?: {[string]: string} @go(Labels,map[string]string) @protobuf(11,bytes,rep) + + // Annotations is an unstructured key value map stored with a resource that may be + // set by external tools to store and retrieve arbitrary metadata. They are not + // queryable and should be preserved when modifying objects. + // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations + // +optional + annotations?: {[string]: string} @go(Annotations,map[string]string) @protobuf(12,bytes,rep) +} + +// StorageSpec defines the configured storage for a group Prometheus servers. +// If neither `emptyDir` nor `volumeClaimTemplate` is specified, then by default an [EmptyDir](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir) will be used. +// +k8s:openapi-gen=true +#StorageSpec: { + // Deprecated: subPath usage will be disabled by default in a future release, this option will become unnecessary. + // DisableMountSubPath allows to remove any subPath usage in volume mounts. + // +optional + disableMountSubPath?: bool @go(DisableMountSubPath) + + // EmptyDirVolumeSource to be used by the Prometheus StatefulSets. If specified, used in place of any volumeClaimTemplate. More + // info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir + // +optional + emptyDir?: null | v1.#EmptyDirVolumeSource @go(EmptyDir,*v1.EmptyDirVolumeSource) + + // A PVC spec to be used by the VMAlertManager StatefulSets. + // +optional + volumeClaimTemplate?: #EmbeddedPersistentVolumeClaim @go(VolumeClaimTemplate) +} + +// EmbeddedPersistentVolumeClaim is an embedded version of k8s.io/api/core/v1.PersistentVolumeClaim. +// It contains TypeMeta and a reduced ObjectMeta. +#EmbeddedPersistentVolumeClaim: { + metav1.#TypeMeta + + // EmbeddedMetadata contains metadata relevant to an EmbeddedResource. + // +optional + metadata?: #EmbeddedObjectMetadata @go(EmbeddedObjectMetadata) @protobuf(1,bytes,opt) + + // Spec defines the desired characteristics of a volume requested by a pod author. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + spec?: v1.#PersistentVolumeClaimSpec @go(Spec) @protobuf(2,bytes,opt) + + // Status represents the current information/status of a persistent volume claim. + // Read-only. + // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + // +optional + status?: v1.#PersistentVolumeClaimStatus @go(Status) @protobuf(3,bytes,opt) +} + +// HTTPAuth generic auth used with http protocols +#HTTPAuth: { + basicAuth?: null | #BasicAuth @go(BasicAuth,*BasicAuth) + oauth2?: null | #OAuth2 @go(OAuth2,*OAuth2) + tlsConfig?: null | #TLSConfig @go(TLSConfig,*TLSConfig) + + #BearerAuth + + // Headers allow configuring custom http headers + // Must be in form of semicolon separated header with value + // e.g. + // headerName:headerValue + // vmalert supports it since 1.79.0 version + // +optional + headers?: [...string] @go(Headers,[]string) +} + +// BearerAuth defines auth with bearer token +#BearerAuth: { + // Path to bearer token file + // +optional + bearerTokenFile?: string @go(TokenFilePath) + + // Optional bearer auth token to use for -remoteWrite.url + // +optional + bearerTokenSecret?: null | v1.#SecretKeySelector @go(TokenSecret,*v1.SecretKeySelector) +} + +// BasicAuth allow an endpoint to authenticate over basic authentication +// +k8s:openapi-gen=true +#BasicAuth: { + // The secret in the service scrape namespace that contains the username + // for authentication. + // It must be at them same namespace as CRD + // +optional + username?: v1.#SecretKeySelector @go(Username) + + // The secret in the service scrape namespace that contains the password + // for authentication. + // It must be at them same namespace as CRD + // +optional + password?: v1.#SecretKeySelector @go(Password) + + // PasswordFile defines path to password file at disk + // +optional + password_file?: string @go(PasswordFile) +} + +// ServiceSpec defines additional service for CRD with user-defined params. +// by default, some of fields can be inherited from default service definition for the CRD: +// labels,selector, ports. +// if metadata.name is not defined, service will have format {{CRD_TYPE}}-{{CRD_NAME}}-additional-service. +// +k8s:openapi-gen=true +#ServiceSpec: { + // EmbeddedObjectMetadata defines objectMeta for additional service. + metadata?: #EmbeddedObjectMetadata @go(EmbeddedObjectMetadata) + + // ServiceSpec describes the attributes that a user creates on a service. + // More info: https://kubernetes.io/docs/concepts/services-networking/service/ + spec: v1.#ServiceSpec @go(Spec) +} + +#EmbeddedPodDisruptionBudgetSpec: { + // An eviction is allowed if at least "minAvailable" pods selected by + // "selector" will still be available after the eviction, i.e. even in the + // absence of the evicted pod. So for example you can prevent all voluntary + // evictions by specifying "100%". + // +optional + minAvailable?: null | intstr.#IntOrString @go(MinAvailable,*intstr.IntOrString) + + // An eviction is allowed if at most "maxUnavailable" pods selected by + // "selector" are unavailable after the eviction, i.e. even in absence of + // the evicted pod. For example, one can prevent all voluntary evictions + // by specifying 0. This is a mutually exclusive setting with "minAvailable". + // +optional + maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) + + // replaces default labels selector generated by operator + // it's useful when you need to create custom budget + // +optional + selectorLabels?: {[string]: string} @go(SelectorLabels,map[string]string) +} + +// EmbeddedProbes - it allows to override some probe params. +// its not necessary to specify all options, +// operator will replace missing spec with default values. +#EmbeddedProbes: { + // LivenessProbe that will be added CRD pod + // +optional + livenessProbe?: null | v1.#Probe @go(LivenessProbe,*v1.Probe) + + // ReadinessProbe that will be added CRD pod + // +optional + readinessProbe?: null | v1.#Probe @go(ReadinessProbe,*v1.Probe) + + // StartupProbe that will be added to CRD pod + // +optional + startupProbe?: null | v1.#Probe @go(StartupProbe,*v1.Probe) +} + +// EmbeddedHPA embeds HorizontalPodAutoScaler spec v2. +// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/ +#EmbeddedHPA: { + minReplicas?: null | int32 @go(MinReplicas,*int32) + maxReplicas?: int32 @go(MaxReplicas) + metrics?: [...v2beta2.#MetricSpec] @go(Metrics,[]v2beta2.MetricSpec) + behaviour?: null | v2beta2.#HorizontalPodAutoscalerBehavior @go(Behaviour,*v2beta2.HorizontalPodAutoscalerBehavior) +} + +// DiscoverySelector can be used at CRD components discovery +#DiscoverySelector: { + namespaceSelector?: null | #NamespaceSelector @go(Namespace,*NamespaceSelector) + labelSelector?: null | metav1.#LabelSelector @go(Labels,*metav1.LabelSelector) +} + +// ConfigMapKeyReference refers to a key in a ConfigMap. +#ConfigMapKeyReference: { + v1.#LocalObjectReference + + // The ConfigMap key to refer to. + key: string @go(Key) +} + +// StreamAggrConfig defines the stream aggregation config +// +k8s:openapi-gen=true +#StreamAggrConfig: { + // Stream aggregation rules + rules: [...#StreamAggrRule] @go(Rules,[]StreamAggrRule) + + // Allows writing both raw and aggregate data + // +optional + keepInput?: bool @go(KeepInput) + + // Allow drop all the input samples after the aggregation + dropInput?: bool @go(DropInput) + + // Allows setting different de-duplication intervals per each configured remote storage + // +optional + dedupInterval?: string @go(DedupInterval) +} + +// StreamAggrRule defines the rule in stream aggregation config +// +k8s:openapi-gen=true +#StreamAggrRule: { + // Match is a label selector (or list of label selectors) for filtering time series for the given selector. + // + // If the match isn't set, then all the input time series are processed. + // +optional + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + match?: #StringOrArray @go(Match) + + // Interval is the interval between aggregations. + interval: string @go(Interval) + + // StalenessInterval defines an interval after which the series state will be reset if no samples have been sent during it. + staleness_interval?: string @go(StalenessInterval) + + // Outputs is a list of output aggregate functions to produce. + // + // The following names are allowed: + // + // - total - aggregates input counters + // - increase - counts the increase over input counters + // - count_series - counts the input series + // - count_samples - counts the input samples + // - sum_samples - sums the input samples + // - last - the last biggest sample value + // - min - the minimum sample value + // - max - the maximum sample value + // - avg - the average value across all the samples + // - stddev - standard deviation across all the samples + // - stdvar - standard variance across all the samples + // - histogram_bucket - creates VictoriaMetrics histogram for input samples + // - quantiles(phi1, ..., phiN) - quantiles' estimation for phi in the range [0..1] + // + // The output time series will have the following names: + // + // input_name:aggr__ + // + outputs: [...string] @go(Outputs,[]string) + + // By is an optional list of labels for grouping input series. + // + // See also Without. + // + // If neither By nor Without are set, then the Outputs are calculated + // individually per each input time series. + // +optional + by?: [...string] @go(By,[]string) + + // Without is an optional list of labels, which must be excluded when grouping input series. + // + // See also By. + // + // If neither By nor Without are set, then the Outputs are calculated + // individually per each input time series. + // +optional + without?: [...string] @go(Without,[]string) + + // InputRelabelConfigs is an optional relabeling rules, which are applied on the input + // before aggregation. + // +optional + input_relabel_configs?: [...#RelabelConfig] @go(InputRelabelConfigs,[]RelabelConfig) + + // OutputRelabelConfigs is an optional relabeling rules, which are applied + // on the aggregated output before being sent to remote storage. + // +optional + output_relabel_configs?: [...#RelabelConfig] @go(OutputRelabelConfigs,[]RelabelConfig) +} + +// KeyValue defines a (key, value) tuple. +// +kubebuilder:object:generate=false +// +k8s:openapi-gen=false +#KeyValue: { + // Key of the tuple. + // +kubebuilder:validation:MinLength=1 + key: string @go(Key) + + // Value of the tuple. + value: string @go(Value) +} + +// StringOrArray is a helper type for storing string or array of string. +#StringOrArray: _ + +// License holds license key for enterprise features. +// Using license key is supported starting from VictoriaMetrics v1.94.0 +// See: https://docs.victoriametrics.com/enterprise.html +#License: { + // Enterprise license key. This flag is available only in VictoriaMetrics enterprise. + // Documentation - https://docs.victoriametrics.com/enterprise.html + // for more information, visit https://victoriametrics.com/products/enterprise/ . + // To request a trial license, go to https://victoriametrics.com/products/enterprise/trial/ + key?: null | string @go(Key,*string) + + // KeyRef is reference to secret with license key for enterprise features. + keyRef?: null | v1.#SecretKeySelector @go(KeyRef,*v1.SecretKeySelector) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/groupversion_info_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/groupversion_info_go_gen.cue new file mode 100644 index 000000000..a370c0670 --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/groupversion_info_go_gen.cue @@ -0,0 +1,8 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +// Package v1beta1 contains API Schema definitions for the victoriametrics v1beta1 API group +// +kubebuilder:object:generate=true +// +groupName=operator.victoriametrics.com +package v1beta1 diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/owner_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/owner_go_gen.cue new file mode 100644 index 000000000..02ab6c0a7 --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/owner_go_gen.cue @@ -0,0 +1,31 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +#CRDName: int // #enumCRDName + +#enumCRDName: + #Agent | + #Alert | + #Single | + #Cluster | + #Auth | + #AlertManager + +#values_CRDName: { + Agent: #Agent + Alert: #Alert + Single: #Single + Cluster: #Cluster + Auth: #Auth + AlertManager: #AlertManager +} + +#Agent: #CRDName & 0 +#Alert: #CRDName & 1 +#Single: #CRDName & 2 +#Cluster: #CRDName & 3 +#Auth: #CRDName & 4 +#AlertManager: #CRDName & 5 diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmagent_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmagent_types_go_gen.cue new file mode 100644 index 000000000..d53b57122 --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmagent_types_go_gen.cue @@ -0,0 +1,157 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import ( + "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// VMAgentSpec defines the desired state of VMAgent +// +k8s:openapi-gen=true +// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of VMAgent" +// +kubebuilder:printcolumn:name="ReplicaCount",type="integer",JSONPath=".spec.replicas",description="The desired replicas number of VMAgent" +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +#VMAgentSpec: _ + +// VMAgentRemoteWriteSettings - defines global settings for all remoteWrite urls. +#VMAgentRemoteWriteSettings: { + // The maximum size in bytes of unpacked request to send to remote storage + // +optional + maxBlockSize?: null | int32 @go(MaxBlockSize,*int32) + + // The maximum file-based buffer size in bytes at -remoteWrite.tmpDataPath + // +optional + maxDiskUsagePerURL?: null | int64 @go(MaxDiskUsagePerURL,*int64) + + // The number of concurrent queues + // +optional + queues?: null | int32 @go(Queues,*int32) + + // Whether to show -remoteWrite.url in the exported metrics. It is hidden by default, since it can contain sensitive auth info + // +optional + showURL?: null | bool @go(ShowURL,*bool) + + // Path to directory where temporary data for remote write component is stored (default vmagent-remotewrite-data) + // +optional + tmpDataPath?: null | string @go(TmpDataPath,*string) + + // Interval for flushing the data to remote storage. (default 1s) + // +optional + // +kubebuilder:validation:Pattern:="[0-9]+(ms|s|m|h)" + flushInterval?: null | string @go(FlushInterval,*string) + + // Labels in the form 'name=value' to add to all the metrics before sending them. This overrides the label if it already exists. + // +optional + label?: {[string]: string} @go(Labels,map[string]string) + + // Configures vmagent in multi-tenant mode with direct cluster support + // docs https://docs.victoriametrics.com/vmagent.html#multitenancy + // it's global setting and affects all remote storage configurations + // +optional + useMultiTenantMode?: bool @go(UseMultiTenantMode) +} + +// VMAgentRemoteWriteSpec defines the remote storage configuration for VmAgent +// +k8s:openapi-gen=true +#VMAgentRemoteWriteSpec: { + // URL of the endpoint to send samples to. + url: string @go(URL) + + // BasicAuth allow an endpoint to authenticate over basic authentication + // +optional + basicAuth?: null | #BasicAuth @go(BasicAuth,*BasicAuth) + + // Optional bearer auth token to use for -remoteWrite.url + // +optional + bearerTokenSecret?: null | v1.#SecretKeySelector @go(BearerTokenSecret,*v1.SecretKeySelector) + + // ConfigMap with relabeling config which is applied to metrics before sending them to the corresponding -remoteWrite.url + // +optional + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Key at Configmap with relabelConfig for remoteWrite",xDescriptors="urn:alm:descriptor:io.kubernetes:ConfigMapKeySelector" + urlRelabelConfig?: null | v1.#ConfigMapKeySelector @go(UrlRelabelConfig,*v1.ConfigMapKeySelector) + + // InlineUrlRelabelConfig defines relabeling config for remoteWriteURL, it can be defined at crd spec. + // +optional + inlineUrlRelabelConfig?: [...#RelabelConfig] @go(InlineUrlRelabelConfig,[]RelabelConfig) + + // OAuth2 defines auth configuration + // +optional + oauth2?: null | #OAuth2 @go(OAuth2,*OAuth2) + + // TLSConfig describes tls configuration for remote write target + // +optional + tlsConfig?: null | #TLSConfig @go(TLSConfig,*TLSConfig) + + // Timeout for sending a single block of data to -remoteWrite.url (default 1m0s) + // +optional + // +kubebuilder:validation:Pattern:="[0-9]+(ms|s|m|h)" + sendTimeout?: null | string @go(SendTimeout,*string) + + // Headers allow configuring custom http headers + // Must be in form of semicolon separated header with value + // e.g. + // headerName: headerValue + // vmagent supports since 1.79.0 version + // +optional + headers?: [...string] @go(Headers,[]string) + + // StreamAggrConfig defines stream aggregation configuration for VMAgent for -remoteWrite.url + // +optional + streamAggrConfig?: null | #StreamAggrConfig @go(StreamAggrConfig,*StreamAggrConfig) +} + +// VMAgentStatus defines the observed state of VMAgent +// +k8s:openapi-gen=true +#VMAgentStatus: { + // Shards represents total number of vmagent deployments with uniq scrape targets + shards: int32 @go(Shards) + + // Selector string form of label value set for autoscaling + selector: string @go(Selector) + + // ReplicaCount Total number of pods targeted by this VMAgent + replicas: int32 @go(Replicas) + + // UpdatedReplicas Total number of non-terminated pods targeted by this VMAgent + // cluster that have the desired version spec. + updatedReplicas: int32 @go(UpdatedReplicas) + + // AvailableReplicas Total number of available pods (ready for at least minReadySeconds) + // targeted by this VMAlert cluster. + availableReplicas: int32 @go(AvailableReplicas) + + // UnavailableReplicas Total number of unavailable pods targeted by this VMAgent cluster. + unavailableReplicas: int32 @go(UnavailableReplicas) +} + +// VMAgent - is a tiny but brave agent, which helps you collect metrics from various sources and stores them in VictoriaMetrics +// or any other Prometheus-compatible storage system that supports the remote_write protocol. +// +operator-sdk:gen-csv:customresourcedefinitions.displayName="VMAgent App" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Deployment,apps" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Service,v1" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Secret,v1" +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +genclient +// +k8s:openapi-gen=true +// +kubebuilder:subresource:status +// +kubebuilder:resource:path=vmagents,scope=Namespaced +// +kubebuilder:subresource:scale:specpath=.spec.shardCount,statuspath=.status.shards,selectorpath=.status.selector +// +kubebuilder:printcolumn:name="Shards Count",type="integer",JSONPath=".status.shards",description="current number of shards" +// +kubebuilder:printcolumn:name="Replica Count",type="integer",JSONPath=".status.replicas",description="current number of replicas" +#VMAgent: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec?: #VMAgentSpec @go(Spec) + status?: #VMAgentStatus @go(Status) +} + +// VMAgentList contains a list of VMAgent +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#VMAgentList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#VMAgent] @go(Items,[]VMAgent) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmalert_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmalert_types_go_gen.cue new file mode 100644 index 000000000..4ba0a3aed --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmalert_types_go_gen.cue @@ -0,0 +1,127 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// MetaVMAlertDeduplicateRulesKey - controls behavior for vmalert rules deduplication +// its useful for migration from prometheus. +#MetaVMAlertDeduplicateRulesKey: "operator.victoriametrics.com/vmalert-deduplicate-rules" + +// VMAlertSpec defines the desired state of VMAlert +// +k8s:openapi-gen=true +// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of VMAlert" +// +kubebuilder:printcolumn:name="ReplicaCount",type="integer",JSONPath=".spec.replicas",description="The desired replicas number of VmAlerts" +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +#VMAlertSpec: _ + +// VMAlertDatasourceSpec defines the remote storage configuration for VmAlert to read alerts from +// +k8s:openapi-gen=true +#VMAlertDatasourceSpec: { + // Victoria Metrics or VMSelect url. Required parameter. E.g. http://127.0.0.1:8428 + url: string @go(URL) + + #HTTPAuth +} + +// VMAlertNotifierSpec defines the notifier url for sending information about alerts +// +k8s:openapi-gen=true +#VMAlertNotifierSpec: { + // AlertManager url. E.g. http://127.0.0.1:9093 + // +optional + url?: string @go(URL) + + // Selector allows service discovery for alertmanager + // in this case all matched vmalertmanager replicas will be added into vmalert notifier.url + // as statefulset pod.fqdn + // +optional + selector?: null | #DiscoverySelector @go(Selector,*DiscoverySelector) + + #HTTPAuth +} + +// VMAlertRemoteReadSpec defines the remote storage configuration for VmAlert to read alerts from +// +k8s:openapi-gen=true +#VMAlertRemoteReadSpec: { + // URL of the endpoint to send samples to. + url: string @go(URL) + + // Lookback defines how far to look into past for alerts timeseries. For example, if lookback=1h then range from now() to now()-1h will be scanned. (default 1h0m0s) + // Applied only to RemoteReadSpec + // +optional + lookback?: null | string @go(Lookback,*string) + + #HTTPAuth +} + +// VMAlertRemoteWriteSpec defines the remote storage configuration for VmAlert +// +k8s:openapi-gen=true +#VMAlertRemoteWriteSpec: { + // URL of the endpoint to send samples to. + url: string @go(URL) + + // Defines number of readers that concurrently write into remote storage (default 1) + // +optional + concurrency?: null | int32 @go(Concurrency,*int32) + + // Defines interval of flushes to remote write endpoint (default 5s) + // +optional + // +kubebuilder:validation:Pattern:="[0-9]+(ms|s|m|h)" + flushInterval?: null | string @go(FlushInterval,*string) + + // Defines defines max number of timeseries to be flushed at once (default 1000) + // +optional + maxBatchSize?: null | int32 @go(MaxBatchSize,*int32) + + // Defines the max number of pending datapoints to remote write endpoint (default 100000) + // +optional + maxQueueSize?: null | int32 @go(MaxQueueSize,*int32) + + #HTTPAuth +} + +// VMAlertStatus defines the observed state of VMAlert +// +k8s:openapi-gen=true +// +kubebuilder:subresource:status +#VMAlertStatus: { + // ReplicaCount Total number of non-terminated pods targeted by this VMAlert + // cluster (their labels match the selector). + replicas: int32 @go(Replicas) + + // UpdatedReplicas Total number of non-terminated pods targeted by this VMAlert + // cluster that have the desired version spec. + updatedReplicas: int32 @go(UpdatedReplicas) + + // AvailableReplicas Total number of available pods (ready for at least minReadySeconds) + // targeted by this VMAlert cluster. + availableReplicas: int32 @go(AvailableReplicas) + + // UnavailableReplicas Total number of unavailable pods targeted by this VMAlert cluster. + unavailableReplicas: int32 @go(UnavailableReplicas) +} + +// VMAlert executes a list of given alerting or recording rules against configured address. +// +operator-sdk:gen-csv:customresourcedefinitions.displayName="VMAlert App" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Deployment,v1" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Service,v1" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Secret,v1" +// +genclient +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:subresource:status +// +kubebuilder:resource:path=vmalerts,scope=Namespaced +#VMAlert: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec?: #VMAlertSpec @go(Spec) + status?: #VMAlertStatus @go(Status) +} + +// VMAlertList contains a list of VMAlert +#VMAlertList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#VMAlert] @go(Items,[]VMAlert) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmalertmanager_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmalertmanager_types_go_gen.cue new file mode 100644 index 000000000..0c1d4c01e --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmalertmanager_types_go_gen.cue @@ -0,0 +1,77 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// VMAlertmanager represents Victoria-Metrics deployment for Alertmanager. +// +operator-sdk:gen-csv:customresourcedefinitions.displayName="VMAlertmanager App" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="StatefulSet,apps" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Service,v1" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Secret,v1" +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +genclient +// +k8s:openapi-gen=true +// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of VMAlertmanager" +// +kubebuilder:printcolumn:name="ReplicaCount",type="integer",JSONPath=".spec.ReplicaCount",description="The desired replicas number of Alertmanagers" +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:resource:path=vmalertmanagers,scope=Namespaced,shortName=vma,singular=vmalertmanager +#VMAlertmanager: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + + // Specification of the desired behavior of the VMAlertmanager cluster. More info: + // https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + spec: #VMAlertmanagerSpec @go(Spec) + + // Most recent observed status of the VMAlertmanager cluster. + // Operator API itself. More info: + // https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + status?: null | #VMAlertmanagerStatus @go(Status,*VMAlertmanagerStatus) +} + +// VMAlertmanagerSpec is a specification of the desired behavior of the VMAlertmanager cluster. More info: +// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +// +k8s:openapi-gen=true +#VMAlertmanagerSpec: _ + +// VMAlertmanagerList is a list of Alertmanagers. +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#VMAlertmanagerList: { + metav1.#TypeMeta + + // Standard list metadata + // More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata + metadata?: metav1.#ListMeta @go(ListMeta) + + // List of Alertmanagers + items: [...#VMAlertmanager] @go(Items,[]VMAlertmanager) +} + +// VMAlertmanagerStatus is the most recent observed status of the VMAlertmanager cluster +// Operator API itself. More info: +// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +// +k8s:openapi-gen=true +#VMAlertmanagerStatus: { + // Paused Represents whether any actions on the underlaying managed objects are + // being performed. Only delete actions will be performed. + paused: bool @go(Paused) + + // ReplicaCount Total number of non-terminated pods targeted by this VMAlertmanager + // cluster (their labels match the selector). + replicas: int32 @go(Replicas) + + // UpdatedReplicas Total number of non-terminated pods targeted by this VMAlertmanager + // cluster that have the desired version spec. + updatedReplicas: int32 @go(UpdatedReplicas) + + // AvailableReplicas Total number of available pods (ready for at least minReadySeconds) + // targeted by this VMAlertmanager cluster. + availableReplicas: int32 @go(AvailableReplicas) + + // UnavailableReplicas Total number of unavailable pods targeted by this VMAlertmanager cluster. + unavailableReplicas: int32 @go(UnavailableReplicas) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmalertmanagerconfig_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmalertmanagerconfig_types_go_gen.cue new file mode 100644 index 000000000..5b2e14501 --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmalertmanagerconfig_types_go_gen.cue @@ -0,0 +1,826 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + "k8s.io/api/core/v1" +) + +// VMAlertmanagerConfigSpec defines configuration for VMAlertmanagerConfig +#VMAlertmanagerConfigSpec: { + // Route definition for alertmanager, may include nested routes. + // +optional + route?: null | #Route @go(Route,*Route) + + // Receivers defines alert receivers. + // without defined Route, receivers will be skipped. + // +optional + receivers: [...#Receiver] @go(Receivers,[]Receiver) + + // InhibitRules will only apply for alerts matching + // the resource's namespace. + // +optional + inhibit_rules?: [...#InhibitRule] @go(InhibitRules,[]InhibitRule) + + // MuteTimeInterval - global mute time + // See https://prometheus.io/docs/alerting/latest/configuration/#mute_time_interval + // +optional + mute_time_intervals?: [...#MuteTimeInterval] @go(MutTimeIntervals,[]MuteTimeInterval) + + // ParsingError contents error with context if operator was failed to parse json object from kubernetes api server + // TimeIntervals modern config option, use it instead of mute_time_intervals + // +optional + time_intervals?: [...#MuteTimeInterval] @go(TimeIntervals,[]MuteTimeInterval) +} + +// MuteTimeInterval for alerts +#MuteTimeInterval: { + // Name of interval + // +required + name?: string @go(Name) + + // TimeIntervals interval configuration + // +required + time_intervals: [...#TimeInterval] @go(TimeIntervals,[]TimeInterval) +} + +// TimeInterval defines intervals of time +#TimeInterval: { + // Times defines time range for mute + // +optional + times?: [...#TimeRange] @go(Times,[]TimeRange) + + // Weekdays defines list of days of the week, where the week begins on Sunday and ends on Saturday. + // +optional + weekdays?: [...string] @go(Weekdays,[]string) + + // DayOfMonth defines list of numerical days in the month. Days begin at 1. Negative values are also accepted. + // for example, ['1:5', '-3:-1'] + // +optional + days_of_month?: [...string] @go(DaysOfMonth,[]string) + + // Months defines list of calendar months identified by a case-insentive name (e.g. ‘January’) or numeric 1. + // For example, ['1:3', 'may:august', 'december'] + // +optional + months?: [...string] @go(Months,[]string) + + // Years defines numerical list of years, ranges are accepted. + // For example, ['2020:2022', '2030'] + // +optional + years?: [...string] @go(Years,[]string) + + // Location in golang time location form, e.g. UTC + // +optional + location?: string @go(Location) +} + +// TimeRange ranges inclusive of the starting time and exclusive of the end time +#TimeRange: { + // StartTime for example HH:MM + // +required + start_time: string @go(StartTime) + + // EndTime for example HH:MM + // +required + end_time: string @go(EndTime) +} + +// VMAlertmanagerConfigStatus defines the observed state of VMAlertmanagerConfig +#VMAlertmanagerConfigStatus: { + // ErrorReason describes validation or any other errors. + reason?: string @go(ErrorReason) +} + +// VMAlertmanagerConfig is the Schema for the vmalertmanagerconfigs API +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +genclient +// +k8s:openapi-gen=true +#VMAlertmanagerConfig: _ + +// VMAlertmanagerConfigList contains a list of VMAlertmanagerConfig +#VMAlertmanagerConfigList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#VMAlertmanagerConfig] @go(Items,[]VMAlertmanagerConfig) +} + +// Route defines a node in the routing tree. +#Route: { + // Name of the receiver for this route. + // +required + receiver: string @go(Receiver) + + // List of labels to group by. + // +optional + group_by?: [...string] @go(GroupBy,[]string) + + // How long to wait before sending the initial notification. + // +kubebuilder:validation:Pattern:="[0-9]+(ms|s|m|h)" + // +optional + group_wait?: string @go(GroupWait) + + // How long to wait before sending an updated notification. + // +kubebuilder:validation:Pattern:="[0-9]+(ms|s|m|h)" + // +optional + group_interval?: string @go(GroupInterval) + + // How long to wait before repeating the last notification. + // +kubebuilder:validation:Pattern:="[0-9]+(ms|s|m|h)" + // +optional + repeat_interval?: string @go(RepeatInterval) + + // List of matchers that the alert’s labels should match. For the first + // level route, the operator adds a namespace: "CRD_NS" matcher. + // https://prometheus.io/docs/alerting/latest/configuration/#matcher + // +optional + matchers?: [...string] @go(Matchers,[]string) + + // Continue indicating whether an alert should continue matching subsequent + // sibling nodes. It will always be true for the first-level route if disableRouteContinueEnforce for vmalertmanager not set. + // +optional + continue?: bool @go(Continue) + + // Child routes. + // https://prometheus.io/docs/alerting/latest/configuration/#route + routes?: [...apiextensionsv1.#JSON] @go(RawRoutes,[]apiextensionsv1.JSON) + + // MuteTimeIntervals for alerts + // +optional + mute_time_intervals?: [...string] @go(MuteTimeIntervals,[]string) + + // ActiveTimeIntervals Times when the route should be active + // These must match the name at time_intervals + // +optional + active_time_intervals?: [...string] @go(ActiveTimeIntervals,[]string) +} + +// InhibitRule defines an inhibition rule that allows to mute alerts when other +// alerts are already firing. +// Note, it doesn't support deprecated alertmanager config options. +// See https://prometheus.io/docs/alerting/latest/configuration/#inhibit_rule +#InhibitRule: { + // TargetMatchers defines a list of matchers that have to be fulfilled by the target + // alerts to be muted. + // +optional + target_matchers?: [...string] @go(TargetMatchers,[]string) + + // SourceMatchers defines a list of matchers for which one or more alerts have + // to exist for the inhibition to take effect. + // +optional + source_matchers?: [...string] @go(SourceMatchers,[]string) + + // Labels that must have an equal value in the source and target alert for + // the inhibition to take effect. + // +optional + equal?: [...string] @go(Equal,[]string) +} + +// Receiver defines one or more notification integrations. +#Receiver: { + // Name of the receiver. Must be unique across all items from the list. + // +kubebuilder:validation:MinLength=1 + // +required + name: string @go(Name) + + // EmailConfigs defines email notification configurations. + // +optional + email_configs?: [...#EmailConfig] @go(EmailConfigs,[]EmailConfig) + + // PagerDutyConfigs defines pager duty notification configurations. + // +optional + pagerduty_configs?: [...#PagerDutyConfig] @go(PagerDutyConfigs,[]PagerDutyConfig) + + // PushoverConfigs defines push over notification configurations. + // +optional + pushover_configs?: [...#PushoverConfig] @go(PushoverConfigs,[]PushoverConfig) + + // SlackConfigs defines slack notification configurations. + // +optional + slack_configs?: [...#SlackConfig] @go(SlackConfigs,[]SlackConfig) + + // OpsGenieConfigs defines ops genie notification configurations. + // +optional + opsgenie_configs?: [...#OpsGenieConfig] @go(OpsGenieConfigs,[]OpsGenieConfig) + + // WebhookConfigs defines webhook notification configurations. + // +optional + webhook_configs?: [...#WebhookConfig] @go(WebhookConfigs,[]WebhookConfig) + + // VictorOpsConfigs defines victor ops notification configurations. + // +optional + victorops_configs?: [...#VictorOpsConfig] @go(VictorOpsConfigs,[]VictorOpsConfig) + + // WeChatConfigs defines wechat notification configurations. + // +optional + wechat_configs?: [...#WeChatConfig] @go(WeChatConfigs,[]WeChatConfig) + telegram_configs?: [...#TelegramConfig] @go(TelegramConfigs,[]TelegramConfig) +} + +#TelegramConfig: { + // SendResolved controls notify about resolved alerts. + // +optional + send_resolved?: null | bool @go(SendResolved,*bool) + + // APIUrl the Telegram API URL i.e. https://api.telegram.org. + // +optional + api_url?: string @go(APIUrl) + + // BotToken token for the bot + // https://core.telegram.org/bots/api + bot_token?: null | v1.#SecretKeySelector @go(BotToken,*v1.SecretKeySelector) + + // ChatID is ID of the chat where to send the messages. + chat_id: int @go(ChatID) + + // Message is templated message + // +optional + message?: string @go(Message) + + // DisableNotifications + // +optional + disable_notifications?: null | bool @go(DisableNotifications,*bool) + + // ParseMode for telegram message, + // supported values are MarkdownV2, Markdown, Markdown and empty string for plain text. + // +optional + parse_mode?: string @go(ParseMode) + + // HTTP client configuration. + // +optional + http_config?: null | #HTTPConfig @go(HTTPConfig,*HTTPConfig) +} + +// WebhookConfig configures notifications via a generic receiver supporting the webhook payload. +// See https://prometheus.io/docs/alerting/latest/configuration/#webhook_config +#WebhookConfig: { + // SendResolved controls notify about resolved alerts. + // +optional + send_resolved?: null | bool @go(SendResolved,*bool) + + // URL to send requests to, + // one of `urlSecret` and `url` must be defined. + // +optional + url?: null | string @go(URL,*string) + + // URLSecret defines secret name and key at the CRD namespace. + // It must contain the webhook URL. + // one of `urlSecret` and `url` must be defined. + // +optional + url_secret?: null | v1.#SecretKeySelector @go(URLSecret,*v1.SecretKeySelector) + + // HTTP client configuration. + // +optional + http_config?: null | #HTTPConfig @go(HTTPConfig,*HTTPConfig) + + // Maximum number of alerts to be sent per webhook message. When 0, all alerts are included. + // +optional + // +kubebuilder:validation:Minimum=0 + max_alerts?: int32 @go(MaxAlerts) +} + +// WeChatConfig configures notifications via WeChat. +// See https://prometheus.io/docs/alerting/latest/configuration/#wechat_config +#WeChatConfig: { + // SendResolved controls notify about resolved alerts. + // +optional + send_resolved?: null | bool @go(SendResolved,*bool) + + // The secret's key that contains the WeChat API key. + // The secret needs to be in the same namespace as the AlertmanagerConfig + // object and accessible by the Prometheus Operator. + // +optional + api_secret?: null | v1.#SecretKeySelector @go(APISecret,*v1.SecretKeySelector) + + // The WeChat API URL. + // +optional + api_url?: string @go(APIURL) + + // The corp id for authentication. + // +optional + corp_id?: string @go(CorpID) + + // +optional + agent_id?: string @go(AgentID) + + // +optional + to_user?: string @go(ToUser) + + // +optional + to_party?: string @go(ToParty) + + // +optional + to_tag?: string @go(ToTag) + + // API request data as defined by the WeChat API. + message?: string @go(Message) + + // +optional + message_type?: string @go(MessageType) + + // HTTP client configuration. + // +optional + http_config?: null | #HTTPConfig @go(HTTPConfig,*HTTPConfig) +} + +// EmailConfig configures notifications via Email. +#EmailConfig: { + // SendResolved controls notify about resolved alerts. + // +optional + send_resolved?: null | bool @go(SendResolved,*bool) + + // The email address to send notifications to. + // +optional + to?: string @go(To) + + // The sender address. + // +optional + from?: string @go(From) + + // The hostname to identify to the SMTP server. + // +optional + hello?: string @go(Hello) + + // The SMTP host through which emails are sent. + // +optional + smarthost?: string @go(Smarthost) + + // The username to use for authentication. + // +optional + auth_username?: string @go(AuthUsername) + + // AuthPassword defines secret name and key at CRD namespace. + // +optional + auth_password?: null | v1.#SecretKeySelector @go(AuthPassword,*v1.SecretKeySelector) + + // AuthSecret defines secrent name and key at CRD namespace. + // It must contain the CRAM-MD5 secret. + // +optional + auth_secret?: null | v1.#SecretKeySelector @go(AuthSecret,*v1.SecretKeySelector) + + // The identity to use for authentication. + // +optional + auth_identity?: string @go(AuthIdentity) + + // Further headers email header key/value pairs. Overrides any headers + // previously set by the notification implementation. + headers?: #EmailConfigHeaders @go(Headers) + + // The HTML body of the email notification. + // +optional + html?: string @go(HTML) + + // The text body of the email notification. + // +optional + text?: string @go(Text) + + // The SMTP TLS requirement. + // Note that Go does not support unencrypted connections to remote SMTP endpoints. + // +optional + require_tls?: null | bool @go(RequireTLS,*bool) + + // TLS configuration + // +optional + tls_config?: null | #TLSConfig @go(TLSConfig,*TLSConfig) +} + +// EmailConfigHeaders is a map of email headers. +#EmailConfigHeaders: _ + +// VictorOpsConfig configures notifications via VictorOps. +// See https://prometheus.io/docs/alerting/latest/configuration/#victorops_config +#VictorOpsConfig: { + // SendResolved controls notify about resolved alerts. + // +optional + send_resolved?: null | bool @go(SendResolved,*bool) + + // The secret's key that contains the API key to use when talking to the VictorOps API. + // It must be at them same namespace as CRD + // +optional + api_key?: null | v1.#SecretKeySelector @go(APIKey,*v1.SecretKeySelector) + + // The VictorOps API URL. + // +optional + api_url?: string @go(APIURL) + + // A key used to map the alert to a team. + // +optional + routing_key: string @go(RoutingKey) + + // Describes the behavior of the alert (CRITICAL, WARNING, INFO). + // +optional + message_type?: string @go(MessageType) + + // Contains summary of the alerted problem. + // +optional + entity_display_name?: string @go(EntityDisplayName) + + // Contains long explanation of the alerted problem. + // +optional + state_message?: string @go(StateMessage) + + // The monitoring tool the state message is from. + // +optional + monitoring_tool?: string @go(MonitoringTool) + + // The HTTP client's configuration. + // +optional + http_config?: null | #HTTPConfig @go(HTTPConfig,*HTTPConfig) + + // Adds optional custom fields + // https://github.com/prometheus/alertmanager/blob/v0.24.0/config/notifiers.go#L537 + // +optional + custom_fields?: {[string]: string} @go(CustomFields,map[string]string) +} + +// PushoverConfig configures notifications via Pushover. +// See https://prometheus.io/docs/alerting/latest/configuration/#pushover_config +#PushoverConfig: { + // SendResolved controls notify about resolved alerts. + // +optional + send_resolved?: null | bool @go(SendResolved,*bool) + + // The secret's key that contains the recipient user’s user key. + // It must be at them same namespace as CRD + user_key?: null | v1.#SecretKeySelector @go(UserKey,*v1.SecretKeySelector) + + // The secret's key that contains the registered application’s API token, see https://pushover.net/apps. + // It must be at them same namespace as CRD + token?: null | v1.#SecretKeySelector @go(Token,*v1.SecretKeySelector) + + // Notification title. + // +optional + title?: string @go(Title) + + // Notification message. + // +optional + message?: string @go(Message) + + // A supplementary URL shown alongside the message. + // +optional + url?: string @go(URL) + + // A title for supplementary URL, otherwise just the URL is shown + // +optional + url_title?: string @go(URLTitle) + + // The name of one of the sounds supported by device clients to override the user's default sound choice + // +optional + sound?: string @go(Sound) + + // Priority, see https://pushover.net/api#priority + // +optional + priority?: string @go(Priority) + + // How often the Pushover servers will send the same notification to the user. + // Must be at least 30 seconds. + // +optional + retry?: string @go(Retry) + + // How long your notification will continue to be retried for, unless the user + // acknowledges the notification. + // +optional + expire?: string @go(Expire) + + // Whether notification message is HTML or plain text. + // +optional + html?: bool @go(HTML) + + // HTTP client configuration. + // +optional + http_config?: null | #HTTPConfig @go(HTTPConfig,*HTTPConfig) +} + +// SlackConfig configures notifications via Slack. +// See https://prometheus.io/docs/alerting/latest/configuration/#slack_config +#SlackConfig: { + // SendResolved controls notify about resolved alerts. + // +optional + send_resolved?: null | bool @go(SendResolved,*bool) + + // The secret's key that contains the Slack webhook URL. + // It must be at them same namespace as CRD + // +optional + api_url?: null | v1.#SecretKeySelector @go(APIURL,*v1.SecretKeySelector) + + // The channel or user to send notifications to. + // +optional + channel?: string @go(Channel) + + // +optional + username?: string @go(Username) + + // +optional + color?: string @go(Color) + + // +optional + title?: string @go(Title) + + // +optional + title_link?: string @go(TitleLink) + + // +optional + pretext?: string @go(Pretext) + + // +optional + text?: string @go(Text) + + // A list of Slack fields that are sent with each notification. + // +optional + fields?: [...#SlackField] @go(Fields,[]SlackField) + + // +optional + short_fields?: bool @go(ShortFields) + + // +optional + footer?: string @go(Footer) + + // +optional + fallback?: string @go(Fallback) + + // +optional + callback_id?: string @go(CallbackID) + + // +optional + icon_emoji?: string @go(IconEmoji) + + // +optional + icon_url?: string @go(IconURL) + + // +optional + image_url?: string @go(ImageURL) + + // +optional + thumb_url?: string @go(ThumbURL) + + // +optional + link_names?: bool @go(LinkNames) + + // +optional + mrkdwn_in?: [...string] @go(MrkdwnIn,[]string) + + // A list of Slack actions that are sent with each notification. + // +optional + actions?: [...#SlackAction] @go(Actions,[]SlackAction) + + // HTTP client configuration. + // +optional + http_config?: null | #HTTPConfig @go(HTTPConfig,*HTTPConfig) +} + +// SlackField configures a single Slack field that is sent with each notification. +// See https://api.slack.com/docs/message-attachments#fields for more information. +#SlackField: { + // +kubebuilder:validation:MinLength=1 + // +required + title: string @go(Title) + + // +kubebuilder:validation:MinLength=1 + // +required + value: string @go(Value) + + // +optional + short?: null | bool @go(Short,*bool) +} + +// SlackAction configures a single Slack action that is sent with each +// notification. +// See https://api.slack.com/docs/message-attachments#action_fields and +// https://api.slack.com/docs/message-buttons for more information. +#SlackAction: { + // +kubebuilder:validation:MinLength=1 + // +required + type: string @go(Type) + + // +kubebuilder:validation:MinLength=1 + // +required + text: string @go(Text) + + // +optional + url?: string @go(URL) + + // +optional + style?: string @go(Style) + + // +optional + name?: string @go(Name) + + // +optional + value?: string @go(Value) + + // +optional + confirm?: null | #SlackConfirmationField @go(ConfirmField,*SlackConfirmationField) +} + +// SlackConfirmationField protect users from destructive actions or +// particularly distinguished decisions by asking them to confirm their button +// click one more time. +// See https://api.slack.com/docs/interactive-message-field-guide#confirmation_fields +// for more information. +#SlackConfirmationField: { + // +kubebuilder:validation:MinLength=1 + // +required + text: string @go(Text) + + // +optional + title?: string @go(Title) + + // +optional + ok_text?: string @go(OkText) + + // +optional + dismiss_text?: string @go(DismissText) +} + +// OpsGenieConfig configures notifications via OpsGenie. +// See https://prometheus.io/docs/alerting/latest/configuration/#opsgenie_config +#OpsGenieConfig: { + // SendResolved controls notify about resolved alerts. + // +optional + send_resolved?: null | bool @go(SendResolved,*bool) + + // The secret's key that contains the OpsGenie API key. + // It must be at them same namespace as CRD + // +optional + api_key?: null | v1.#SecretKeySelector @go(APIKey,*v1.SecretKeySelector) + + // The URL to send OpsGenie API requests to. + // +optional + apiURL?: string @go(APIURL) + + // Alert text limited to 130 characters. + // +optional + message?: string @go(Message) + + // Description of the incident. + // +optional + description?: string @go(Description) + + // Backlink to the sender of the notification. + // +optional + source?: string @go(Source) + + // Comma separated list of tags attached to the notifications. + // +optional + tags?: string @go(Tags) + + // Additional alert note. + // +optional + note?: string @go(Note) + + // Priority level of alert. Possible values are P1, P2, P3, P4, and P5. + // +optional + priority?: string @go(Priority) + + // A set of arbitrary key/value pairs that provide further detail about the incident. + // +optional + details?: {[string]: string} @go(Details,map[string]string) + + // List of responders responsible for notifications. + // +optional + responders?: [...#OpsGenieConfigResponder] @go(Responders,[]OpsGenieConfigResponder) + + // HTTP client configuration. + // +optional + http_config?: null | #HTTPConfig @go(HTTPConfig,*HTTPConfig) +} + +// OpsGenieConfigResponder defines a responder to an incident. +// One of `id`, `name` or `username` has to be defined. +#OpsGenieConfigResponder: { + // ID of the responder. + // +optional + id?: string @go(ID) + + // Name of the responder. + // +optional + name?: string @go(Name) + + // Username of the responder. + // +optional + username?: string @go(Username) + + // Type of responder. + // +kubebuilder:validation:MinLength=1 + // +required + type: string @go(Type) +} + +// PagerDutyConfig configures notifications via PagerDuty. +// See https://prometheus.io/docs/alerting/latest/configuration/#pagerduty_config +#PagerDutyConfig: { + // SendResolved controls notify about resolved alerts. + // +optional + send_resolved?: null | bool @go(SendResolved,*bool) + + // The secret's key that contains the PagerDuty integration key (when using + // Events API v2). Either this field or `serviceKey` needs to be defined. + // It must be at them same namespace as CRD + // +optional + routing_key?: null | v1.#SecretKeySelector @go(RoutingKey,*v1.SecretKeySelector) + + // The secret's key that contains the PagerDuty service key (when using + // integration type "Prometheus"). Either this field or `routingKey` needs to + // be defined. + // It must be at them same namespace as CRD + // +optional + service_key?: null | v1.#SecretKeySelector @go(ServiceKey,*v1.SecretKeySelector) + + // The URL to send requests to. + // +optional + url?: string @go(URL) + + // Client identification. + // +optional + client?: string @go(Client) + + // Backlink to the sender of notification. + // +optional + client_url?: string @go(ClientURL) + + // Images to attach to the incident. + // +optional + images?: [...#ImageConfig] @go(Images,[]ImageConfig) + + // Links to attach to the incident. + // +optional + links?: [...#LinkConfig] @go(Links,[]LinkConfig) + + // Description of the incident. + // +optional + description?: string @go(Description) + + // Severity of the incident. + // +optional + severity?: string @go(Severity) + + // The class/type of the event. + // +optional + class?: string @go(Class) + + // A cluster or grouping of sources. + // +optional + group?: string @go(Group) + + // The part or component of the affected system that is broken. + // +optional + component?: string @go(Component) + + // Arbitrary key/value pairs that provide further detail about the incident. + // +optional + details?: #PagerDutyDetails @go(Details) + + // HTTP client configuration. + // +optional + http_config?: null | #HTTPConfig @go(HTTPConfig,*HTTPConfig) +} + +// PagerDutyDetails details for config +#PagerDutyDetails: _ + +// ImageConfig is used to attach images to the incident. +// See https://developer.pagerduty.com/docs/ZG9jOjExMDI5NTgx-send-an-alert-event#the-images-property +// for more information. +#ImageConfig: { + href?: string @go(Href) + source: string @go(Source) + alt?: string @go(Alt) +} + +// LinkConfig is used to attach text links to the incident. +// See https://developer.pagerduty.com/docs/ZG9jOjExMDI5NTgx-send-an-alert-event#the-links-property +// for more information. +#LinkConfig: { + href: string @go(Href) + text?: string @go(Text) +} + +// HTTPConfig defines a client HTTP configuration. +// See https://prometheus.io/docs/alerting/latest/configuration/#http_config +#HTTPConfig: { + // TODO oAuth2 support + // BasicAuth for the client. + // +optional + basic_auth?: null | #BasicAuth @go(BasicAuth,*BasicAuth) + + // The secret's key that contains the bearer token + // It must be at them same namespace as CRD + // +optional + bearer_token_secret?: null | v1.#SecretKeySelector @go(BearerTokenSecret,*v1.SecretKeySelector) + + // BearerTokenFile defines filename for bearer token, it must be mounted to pod. + // +optional + bearer_token_file?: string @go(BearerTokenFile) + + // TLS configuration for the client. + // +optional + tls_config?: null | #TLSConfig @go(TLSConfig,*TLSConfig) + + // Optional proxy URL. + // +optional + proxyURL?: string @go(ProxyURL) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmauth_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmauth_types_go_gen.cue new file mode 100644 index 000000000..d2c3a3398 --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmauth_types_go_gen.cue @@ -0,0 +1,83 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import ( + v12 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// VMAuthSpec defines the desired state of VMAuth +#VMAuthSpec: _ + +// VMAuthUnauthorizedPath defines url_map for unauthorized access +#VMAuthUnauthorizedPath: { + // Paths src request paths + // +optional + src_paths?: [...string] @go(Paths,[]string) + + // URLs defines url_prefix for dst routing + // +optional + url_prefix?: [...string] @go(URLs,[]string) + + // IPFilters defines filter for src ip address + // enterprise only + ip_filters?: #VMUserIPFilters @go(IPFilters) +} + +// EmbeddedIngress describes ingress configuration options. +#EmbeddedIngress: { + // ClassName defines ingress class name for VMAuth + // +optional + class_name?: null | string @go(ClassName,*string) + + #EmbeddedObjectMetadata + + // TlsHosts configures TLS access for ingress, tlsSecretName must be defined for it. + tlsHosts?: [...string] @go(TlsHosts,[]string) + + // TlsSecretName defines secretname at the VMAuth namespace with cert and key + // https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + // +optional + tlsSecretName?: string @go(TlsSecretName) + + // ExtraRules - additional rules for ingress, + // must be checked for correctness by user. + // +optional + extraRules?: [...v12.#IngressRule] @go(ExtraRules,[]v12.IngressRule) + + // ExtraTLS - additional TLS configuration for ingress + // must be checked for correctness by user. + // +optional + extraTls?: [...v12.#IngressTLS] @go(ExtraTLS,[]v12.IngressTLS) + + // Host defines ingress host parameter for default rule + // It will be used, only if TlsHosts is empty + // +optional + host?: string @go(Host) +} + +// VMAuthStatus defines the observed state of VMAuth +#VMAuthStatus: { +} + +// VMAuth is the Schema for the vmauths API +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +genclient +// +k8s:openapi-gen=true +#VMAuth: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec?: #VMAuthSpec @go(Spec) + status?: #VMAuthStatus @go(Status) +} + +// VMAuthList contains a list of VMAuth +#VMAuthList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#VMAuth] @go(Items,[]VMAuth) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmcluster_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmcluster_types_go_gen.cue new file mode 100644 index 000000000..1f18ce753 --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmcluster_types_go_gen.cue @@ -0,0 +1,762 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/api/core/v1" + appsv1 "k8s.io/api/apps/v1" +) + +#ClusterStatusExpanding: "expanding" +#ClusterStatusOperational: "operational" +#ClusterStatusFailed: "failed" + +// VMClusterSpec defines the desired state of VMCluster +// +k8s:openapi-gen=true +#VMClusterSpec: _ + +// VMCluster is fast, cost-effective and scalable time-series database. +// Cluster version with +// +operator-sdk:gen-csv:customresourcedefinitions.displayName="VMCluster App" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Deployment,apps" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Statefulset,apps" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Service,v1" +// +genclient +// +k8s:openapi-gen=true +// +kubebuilder:subresource:status +// +kubebuilder:resource:path=vmclusters,scope=Namespaced +// +kubebuilder:printcolumn:name="Insert Count",type="string",JSONPath=".spec.vminsert.replicaCount",description="replicas of VMInsert" +// +kubebuilder:printcolumn:name="Storage Count",type="string",JSONPath=".spec.vmstorage.replicaCount",description="replicas of VMStorage" +// +kubebuilder:printcolumn:name="Select Count",type="string",JSONPath=".spec.vmselect.replicaCount",description="replicas of VMSelect" +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.clusterStatus",description="Current status of cluster" +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#VMCluster: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec: #VMClusterSpec @go(Spec) + status?: #VMClusterStatus @go(Status) +} + +// VMClusterStatus defines the observed state of VMCluster +#VMClusterStatus: { + // Deprecated. + updateFailCount: int @go(UpdateFailCount) + + // Deprecated. + lastSync?: string @go(LastSync) + clusterStatus: string @go(ClusterStatus) + reason?: string @go(Reason) +} + +// VMClusterList contains a list of VMCluster +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#VMClusterList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#VMCluster] @go(Items,[]VMCluster) +} + +#VMSelect: { + // Name is deprecated and will be removed at 0.22.0 release + // +deprecated + name?: string @go(Name) + + // PodMetadata configures Labels and Annotations which are propagated to the VMSelect pods. + podMetadata?: null | #EmbeddedObjectMetadata @go(PodMetadata,*EmbeddedObjectMetadata) + + // Image - docker image settings for VMSelect + // +optional + image?: #Image @go(Image) + + // Secrets is a list of Secrets in the same namespace as the VMSelect + // object, which shall be mounted into the VMSelect Pods. + // The Secrets are mounted into /etc/vm/secrets/. + // +optional + secrets?: [...string] @go(Secrets,[]string) + + // ConfigMaps is a list of ConfigMaps in the same namespace as the VMSelect + // object, which shall be mounted into the VMSelect Pods. + // The ConfigMaps are mounted into /etc/vm/configs/. + // +optional + configMaps?: [...string] @go(ConfigMaps,[]string) + + // LogFormat for VMSelect to be configured with. + // default or json + // +optional + // +kubebuilder:validation:Enum=default;json + logFormat?: string @go(LogFormat) + + // LogLevel for VMSelect to be configured with. + // +optional + // +kubebuilder:validation:Enum=INFO;WARN;ERROR;FATAL;PANIC + logLevel?: string @go(LogLevel) + + // ReplicaCount is the expected size of the VMSelect cluster. The controller will + // eventually make the size of the running cluster equal to the expected + // size. + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Number of pods",xDescriptors="urn:alm:descriptor:com.tectonic.ui:podCount,urn:alm:descriptor:io.kubernetes:custom" + replicaCount?: null | int32 @go(ReplicaCount,*int32) + + // Volumes allows configuration of additional volumes on the output Deployment definition. + // Volumes specified will be appended to other volumes that are generated as a result of + // StorageSpec objects. + // +optional + volumes?: [...v1.#Volume] @go(Volumes,[]v1.Volume) + + // VolumeMounts allows configuration of additional VolumeMounts on the output Deployment definition. + // VolumeMounts specified will be appended to other VolumeMounts in the VMSelect container, + // that are generated as a result of StorageSpec objects. + // +optional + volumeMounts?: [...v1.#VolumeMount] @go(VolumeMounts,[]v1.VolumeMount) + + // Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Resources",xDescriptors="urn:alm:descriptor:com.tectonic.ui:resourceRequirements" + // +optional + resources?: v1.#ResourceRequirements @go(Resources) + + // Affinity If specified, the pod's scheduling constraints. + // +optional + affinity?: null | v1.#Affinity @go(Affinity,*v1.Affinity) + + // Tolerations If specified, the pod's tolerations. + // +optional + tolerations?: [...v1.#Toleration] @go(Tolerations,[]v1.Toleration) + + // SecurityContext holds pod-level security attributes and common container settings. + // This defaults to the default PodSecurityContext. + // +optional + securityContext?: null | v1.#PodSecurityContext @go(SecurityContext,*v1.PodSecurityContext) + + // Containers property allows to inject additions sidecars or to patch existing containers. + // It can be useful for proxies, backup, etc. + // +optional + containers?: [...v1.#Container] @go(Containers,[]v1.Container) + + // InitContainers allows adding initContainers to the pod definition. Those can be used to e.g. + // fetch secrets for injection into the VMSelect configuration from external sources. Any + // errors during the execution of an initContainer will lead to a restart of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + // Using initContainers for any use case other then secret fetching is entirely outside the scope + // of what the maintainers will support and by doing so, you accept that this behaviour may break + // at any time without notice. + // +optional + initContainers?: [...v1.#Container] @go(InitContainers,[]v1.Container) + + // Priority class assigned to the Pods + // +optional + priorityClassName?: string @go(PriorityClassName) + + // HostNetwork controls whether the pod may use the node network namespace + // +optional + hostNetwork?: bool @go(HostNetwork) + + // DNSPolicy sets DNS policy for the pod + // +optional + dnsPolicy?: v1.#DNSPolicy @go(DNSPolicy) + + // Specifies the DNS parameters of a pod. + // Parameters specified here will be merged to the generated DNS + // configuration based on DNSPolicy. + // +optional + dnsConfig?: null | v1.#PodDNSConfig @go(DNSConfig,*v1.PodDNSConfig) + + // TopologySpreadConstraints embedded kubernetes pod configuration option, + // controls how pods are spread across your cluster among failure-domains + // such as regions, zones, nodes, and other user-defined topology domains + // https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + // +optional + topologySpreadConstraints?: [...v1.#TopologySpreadConstraint] @go(TopologySpreadConstraints,[]v1.TopologySpreadConstraint) + + // CacheMountPath allows to add cache persistent for VMSelect, + // will use "/cache" as default if not specified. + // +optional + cacheMountPath?: string @go(CacheMountPath) + + // Storage - add persistent volume for cacheMounthPath + // its useful for persistent cache + // use storage instead of persistentVolume. + // +deprecated + // +optional + persistentVolume?: null | #StorageSpec @go(Storage,*StorageSpec) + + // StorageSpec - add persistent volume claim for cacheMountPath + // its needed for persistent cache + // +optional + storage?: null | #StorageSpec @go(StorageSpec,*StorageSpec) + + // ExtraEnvs that will be added to VMSelect pod + // +optional + extraEnvs?: [...v1.#EnvVar] @go(ExtraEnvs,[]v1.EnvVar) + + // +optional + extraArgs?: {[string]: string} @go(ExtraArgs,map[string]string) + + // Port listen port + // +optional + port?: string @go(Port) + + // ClusterNativePort for multi-level cluster setup. + // More details: https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#multi-level-cluster-setup + // +optional + clusterNativeListenPort?: string @go(ClusterNativePort) + + // SchedulerName - defines kubernetes scheduler name + // +optional + schedulerName?: string @go(SchedulerName) + + // RuntimeClassName - defines runtime class for kubernetes pod. + // https://kubernetes.io/docs/concepts/containers/runtime-class/ + // +optional + runtimeClassName?: null | string @go(RuntimeClassName,*string) + + // ServiceSpec that will be added to vmselect service spec + // +optional + serviceSpec?: null | #ServiceSpec @go(ServiceSpec,*ServiceSpec) + + // ServiceScrapeSpec that will be added to vmselect VMServiceScrape spec + // +optional + serviceScrapeSpec?: null | #VMServiceScrapeSpec @go(ServiceScrapeSpec,*VMServiceScrapeSpec) + + // PodDisruptionBudget created by operator + // +optional + podDisruptionBudget?: null | #EmbeddedPodDisruptionBudgetSpec @go(PodDisruptionBudget,*EmbeddedPodDisruptionBudgetSpec) + + #EmbeddedProbes + + // Configures horizontal pod autoscaling. + // Note, enabling this option disables vmselect to vmselect communication. In most cases it's not an issue. + // +optional + hpa?: null | #EmbeddedHPA @go(HPA,*EmbeddedHPA) + + // NodeSelector Define which Nodes the Pods are scheduled on. + // +optional + nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) + + // RollingUpdateStrategy defines strategy for application updates + // Default is OnDelete, in this case operator handles update process + // Can be changed for RollingUpdate + // +optional + rollingUpdateStrategy?: appsv1.#StatefulSetUpdateStrategyType @go(RollingUpdateStrategy) + + // TerminationGracePeriodSeconds period for container graceful termination + // +optional + terminationGracePeriodSeconds?: null | int64 @go(TerminationGracePeriodSeconds,*int64) + + // ReadinessGates defines pod readiness gates + readinessGates?: [...v1.#PodReadinessGate] @go(ReadinessGates,[]v1.PodReadinessGate) + + // ClaimTemplates allows adding additional VolumeClaimTemplates for StatefulSet + claimTemplates?: [...v1.#PersistentVolumeClaim] @go(ClaimTemplates,[]v1.PersistentVolumeClaim) +} + +#InsertPorts: { + // GraphitePort listen port + // +optional + graphitePort?: string @go(GraphitePort) + + // InfluxPort listen port + // +optional + influxPort?: string @go(InfluxPort) + + // OpenTSDBHTTPPort for http connections. + // +optional + openTSDBHTTPPort?: string @go(OpenTSDBHTTPPort) + + // OpenTSDBPort for tcp and udp listen + // +optional + openTSDBPort?: string @go(OpenTSDBPort) +} + +#VMInsert: { + // Name is deprecated and will be removed at 0.22.0 release + // +deprecated + // +optional + name?: string @go(Name) + + // PodMetadata configures Labels and Annotations which are propagated to the VMSelect pods. + podMetadata?: null | #EmbeddedObjectMetadata @go(PodMetadata,*EmbeddedObjectMetadata) + + // Image - docker image settings for VMInsert + // +optional + image?: #Image @go(Image) + + // Secrets is a list of Secrets in the same namespace as the VMSelect + // object, which shall be mounted into the VMSelect Pods. + // The Secrets are mounted into /etc/vm/secrets/. + // +optional + secrets?: [...string] @go(Secrets,[]string) + + // ConfigMaps is a list of ConfigMaps in the same namespace as the VMSelect + // object, which shall be mounted into the VMSelect Pods. + // The ConfigMaps are mounted into /etc/vm/configs/. + // +optional + configMaps?: [...string] @go(ConfigMaps,[]string) + + // LogFormat for VMSelect to be configured with. + // default or json + // +optional + // +kubebuilder:validation:Enum=default;json + logFormat?: string @go(LogFormat) + + // LogLevel for VMSelect to be configured with. + // +optional + // +kubebuilder:validation:Enum=INFO;WARN;ERROR;FATAL;PANIC + logLevel?: string @go(LogLevel) + + // ReplicaCount is the expected size of the VMInsert cluster. The controller will + // eventually make the size of the running cluster equal to the expected + // size. + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Number of pods",xDescriptors="urn:alm:descriptor:com.tectonic.ui:podCount,urn:alm:descriptor:io.kubernetes:custom" + replicaCount?: null | int32 @go(ReplicaCount,*int32) + + // Volumes allows configuration of additional volumes on the output Deployment definition. + // Volumes specified will be appended to other volumes that are generated as a result of + // StorageSpec objects. + // +optional + volumes?: [...v1.#Volume] @go(Volumes,[]v1.Volume) + + // VolumeMounts allows configuration of additional VolumeMounts on the output Deployment definition. + // VolumeMounts specified will be appended to other VolumeMounts in the VMSelect container, + // that are generated as a result of StorageSpec objects. + // +optional + volumeMounts?: [...v1.#VolumeMount] @go(VolumeMounts,[]v1.VolumeMount) + + // Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Resources",xDescriptors="urn:alm:descriptor:com.tectonic.ui:resourceRequirements" + // +optional + resources?: v1.#ResourceRequirements @go(Resources) + + // Affinity If specified, the pod's scheduling constraints. + // +optional + affinity?: null | v1.#Affinity @go(Affinity,*v1.Affinity) + + // Tolerations If specified, the pod's tolerations. + // +optional + tolerations?: [...v1.#Toleration] @go(Tolerations,[]v1.Toleration) + + // SecurityContext holds pod-level security attributes and common container settings. + // This defaults to the default PodSecurityContext. + // +optional + securityContext?: null | v1.#PodSecurityContext @go(SecurityContext,*v1.PodSecurityContext) + + // Containers property allows to inject additions sidecars or to patch existing containers. + // It can be useful for proxies, backup, etc. + // +optional + containers?: [...v1.#Container] @go(Containers,[]v1.Container) + + // InitContainers allows adding initContainers to the pod definition. Those can be used to e.g. + // fetch secrets for injection into the VMSelect configuration from external sources. Any + // errors during the execution of an initContainer will lead to a restart of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + // Using initContainers for any use case other then secret fetching is entirely outside the scope + // of what the maintainers will support and by doing so, you accept that this behaviour may break + // at any time without notice. + // +optional + initContainers?: [...v1.#Container] @go(InitContainers,[]v1.Container) + + // Priority class assigned to the Pods + // +optional + priorityClassName?: string @go(PriorityClassName) + + // HostNetwork controls whether the pod may use the node network namespace + // +optional + hostNetwork?: bool @go(HostNetwork) + + // DNSPolicy sets DNS policy for the pod + // +optional + dnsPolicy?: v1.#DNSPolicy @go(DNSPolicy) + + // Specifies the DNS parameters of a pod. + // Parameters specified here will be merged to the generated DNS + // configuration based on DNSPolicy. + // +optional + dnsConfig?: null | v1.#PodDNSConfig @go(DNSConfig,*v1.PodDNSConfig) + + // TopologySpreadConstraints embedded kubernetes pod configuration option, + // controls how pods are spread across your cluster among failure-domains + // such as regions, zones, nodes, and other user-defined topology domains + // https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + // +optional + topologySpreadConstraints?: [...v1.#TopologySpreadConstraint] @go(TopologySpreadConstraints,[]v1.TopologySpreadConstraint) + + // +optional + extraArgs?: {[string]: string} @go(ExtraArgs,map[string]string) + + // InsertPorts - additional listen ports for data ingestion. + insertPorts?: null | #InsertPorts @go(InsertPorts,*InsertPorts) + + // Port listen port + // +optional + port?: string @go(Port) + + // ClusterNativePort for multi-level cluster setup. + // More details: https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#multi-level-cluster-setup + // +optional + clusterNativeListenPort?: string @go(ClusterNativePort) + + // SchedulerName - defines kubernetes scheduler name + // +optional + schedulerName?: string @go(SchedulerName) + + // RuntimeClassName - defines runtime class for kubernetes pod. + // https://kubernetes.io/docs/concepts/containers/runtime-class/ + // +optional + runtimeClassName?: null | string @go(RuntimeClassName,*string) + + // ExtraEnvs that will be added to VMSelect pod + // +optional + extraEnvs?: [...v1.#EnvVar] @go(ExtraEnvs,[]v1.EnvVar) + + // ServiceSpec that will be added to vminsert service spec + // +optional + serviceSpec?: null | #ServiceSpec @go(ServiceSpec,*ServiceSpec) + + // ServiceScrapeSpec that will be added to vminsert VMServiceScrape spec + // +optional + serviceScrapeSpec?: null | #VMServiceScrapeSpec @go(ServiceScrapeSpec,*VMServiceScrapeSpec) + + // UpdateStrategy - overrides default update strategy. + // +kubebuilder:validation:Enum=Recreate;RollingUpdate + // +optional + updateStrategy?: null | appsv1.#DeploymentStrategyType @go(UpdateStrategy,*appsv1.DeploymentStrategyType) + + // RollingUpdate - overrides deployment update params. + // +optional + rollingUpdate?: null | appsv1.#RollingUpdateDeployment @go(RollingUpdate,*appsv1.RollingUpdateDeployment) + + // PodDisruptionBudget created by operator + // +optional + podDisruptionBudget?: null | #EmbeddedPodDisruptionBudgetSpec @go(PodDisruptionBudget,*EmbeddedPodDisruptionBudgetSpec) + + #EmbeddedProbes + + // HPA defines kubernetes PodAutoScaling configuration version 2. + hpa?: null | #EmbeddedHPA @go(HPA,*EmbeddedHPA) + + // NodeSelector Define which Nodes the Pods are scheduled on. + // +optional + nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) + + // TerminationGracePeriodSeconds period for container graceful termination + // +optional + terminationGracePeriodSeconds?: null | int64 @go(TerminationGracePeriodSeconds,*int64) + + // ReadinessGates defines pod readiness gates + readinessGates?: [...v1.#PodReadinessGate] @go(ReadinessGates,[]v1.PodReadinessGate) +} + +#VMStorage: { + // Name is deprecated and will be removed at 0.22.0 release + // +deprecated + // +optional + name?: string @go(Name) + + // PodMetadata configures Labels and Annotations which are propagated to the VMSelect pods. + podMetadata?: null | #EmbeddedObjectMetadata @go(PodMetadata,*EmbeddedObjectMetadata) + + // Image - docker image settings for VMStorage + // +optional + image?: #Image @go(Image) + + // Secrets is a list of Secrets in the same namespace as the VMSelect + // object, which shall be mounted into the VMSelect Pods. + // The Secrets are mounted into /etc/vm/secrets/. + // +optional + secrets?: [...string] @go(Secrets,[]string) + + // ConfigMaps is a list of ConfigMaps in the same namespace as the VMSelect + // object, which shall be mounted into the VMSelect Pods. + // The ConfigMaps are mounted into /etc/vm/configs/. + // +optional + configMaps?: [...string] @go(ConfigMaps,[]string) + + // LogFormat for VMSelect to be configured with. + // default or json + // +optional + // +kubebuilder:validation:Enum=default;json + logFormat?: string @go(LogFormat) + + // LogLevel for VMSelect to be configured with. + // +optional + // +kubebuilder:validation:Enum=INFO;WARN;ERROR;FATAL;PANIC + logLevel?: string @go(LogLevel) + + // ReplicaCount is the expected size of the VMStorage cluster. The controller will + // eventually make the size of the running cluster equal to the expected + // size. + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Number of pods",xDescriptors="urn:alm:descriptor:com.tectonic.ui:podCount,urn:alm:descriptor:io.kubernetes:custom" + replicaCount?: null | int32 @go(ReplicaCount,*int32) + + // Volumes allows configuration of additional volumes on the output Deployment definition. + // Volumes specified will be appended to other volumes that are generated as a result of + // StorageSpec objects. + // +optional + volumes?: [...v1.#Volume] @go(Volumes,[]v1.Volume) + + // VolumeMounts allows configuration of additional VolumeMounts on the output Deployment definition. + // VolumeMounts specified will be appended to other VolumeMounts in the VMSelect container, + // that are generated as a result of StorageSpec objects. + // +optional + volumeMounts?: [...v1.#VolumeMount] @go(VolumeMounts,[]v1.VolumeMount) + + // Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Resources",xDescriptors="urn:alm:descriptor:com.tectonic.ui:resourceRequirements" + // +optional + resources?: v1.#ResourceRequirements @go(Resources) + + // Affinity If specified, the pod's scheduling constraints. + // +optional + affinity?: null | v1.#Affinity @go(Affinity,*v1.Affinity) + + // Tolerations If specified, the pod's tolerations. + // +optional + tolerations?: [...v1.#Toleration] @go(Tolerations,[]v1.Toleration) + + // SecurityContext holds pod-level security attributes and common container settings. + // This defaults to the default PodSecurityContext. + // +optional + securityContext?: null | v1.#PodSecurityContext @go(SecurityContext,*v1.PodSecurityContext) + + // Containers property allows to inject additions sidecars or to patch existing containers. + // It can be useful for proxies, backup, etc. + // +optional + containers?: [...v1.#Container] @go(Containers,[]v1.Container) + + // InitContainers allows adding initContainers to the pod definition. Those can be used to e.g. + // fetch secrets for injection into the VMSelect configuration from external sources. Any + // errors during the execution of an initContainer will lead to a restart of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + // Using initContainers for any use case other then secret fetching is entirely outside the scope + // of what the maintainers will support and by doing so, you accept that this behaviour may break + // at any time without notice. + // +optional + initContainers?: [...v1.#Container] @go(InitContainers,[]v1.Container) + + // Priority class assigned to the Pods + // +optional + priorityClassName?: string @go(PriorityClassName) + + // HostNetwork controls whether the pod may use the node network namespace + // +optional + hostNetwork?: bool @go(HostNetwork) + + // DNSPolicy sets DNS policy for the pod + // +optional + dnsPolicy?: v1.#DNSPolicy @go(DNSPolicy) + + // Specifies the DNS parameters of a pod. + // Parameters specified here will be merged to the generated DNS + // configuration based on DNSPolicy. + // +optional + dnsConfig?: null | v1.#PodDNSConfig @go(DNSConfig,*v1.PodDNSConfig) + + // TopologySpreadConstraints embedded kubernetes pod configuration option, + // controls how pods are spread across your cluster among failure-domains + // such as regions, zones, nodes, and other user-defined topology domains + // https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + // +optional + topologySpreadConstraints?: [...v1.#TopologySpreadConstraint] @go(TopologySpreadConstraints,[]v1.TopologySpreadConstraint) + + // StorageDataPath - path to storage data + // +optional + storageDataPath?: string @go(StorageDataPath) + + // Storage - add persistent volume for StorageDataPath + // its useful for persistent cache + // +optional + storage?: null | #StorageSpec @go(Storage,*StorageSpec) + + // TerminationGracePeriodSeconds period for container graceful termination + // +optional + terminationGracePeriodSeconds?: int64 @go(TerminationGracePeriodSeconds) + + // SchedulerName - defines kubernetes scheduler name + // +optional + schedulerName?: string @go(SchedulerName) + + // RuntimeClassName - defines runtime class for kubernetes pod. + // https://kubernetes.io/docs/concepts/containers/runtime-class/ + // +optional + runtimeClassName?: null | string @go(RuntimeClassName,*string) + + // Port for health check connetions + port?: string @go(Port) + + // VMInsertPort for VMInsert connections + // +optional + vmInsertPort?: string @go(VMInsertPort) + + // VMSelectPort for VMSelect connections + // +optional + vmSelectPort?: string @go(VMSelectPort) + + // VMBackup configuration for backup + // +optional + vmBackup?: null | #VMBackup @go(VMBackup,*VMBackup) + + // +optional + extraArgs?: {[string]: string} @go(ExtraArgs,map[string]string) + + // ExtraEnvs that will be added to VMSelect pod + // +optional + extraEnvs?: [...v1.#EnvVar] @go(ExtraEnvs,[]v1.EnvVar) + + // ServiceSpec that will be create additional service for vmstorage + // +optional + serviceSpec?: null | #ServiceSpec @go(ServiceSpec,*ServiceSpec) + + // ServiceScrapeSpec that will be added to vmstorage VMServiceScrape spec + // +optional + serviceScrapeSpec?: null | #VMServiceScrapeSpec @go(ServiceScrapeSpec,*VMServiceScrapeSpec) + + // PodDisruptionBudget created by operator + // +optional + podDisruptionBudget?: null | #EmbeddedPodDisruptionBudgetSpec @go(PodDisruptionBudget,*EmbeddedPodDisruptionBudgetSpec) + + #EmbeddedProbes + + // MaintenanceInsertNodeIDs - excludes given node ids from insert requests routing, must contain pod suffixes - for pod-0, id will be 0 and etc. + // lets say, you have pod-0, pod-1, pod-2, pod-3. to exclude pod-0 and pod-3 from insert routing, define nodeIDs: [0,3]. + // Useful at storage expanding, when you want to rebalance some data at cluster. + // +optional + maintenanceInsertNodeIDs?: [...int32] @go(MaintenanceInsertNodeIDs,[]int32) + + // MaintenanceInsertNodeIDs - excludes given node ids from select requests routing, must contain pod suffixes - for pod-0, id will be 0 and etc. + maintenanceSelectNodeIDs?: [...int32] @go(MaintenanceSelectNodeIDs,[]int32) + + // NodeSelector Define which Nodes the Pods are scheduled on. + // +optional + nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) + + // RollingUpdateStrategy defines strategy for application updates + // Default is OnDelete, in this case operator handles update process + // Can be changed for RollingUpdate + // +optional + rollingUpdateStrategy?: appsv1.#StatefulSetUpdateStrategyType @go(RollingUpdateStrategy) + + // ReadinessGates defines pod readiness gates + readinessGates?: [...v1.#PodReadinessGate] @go(ReadinessGates,[]v1.PodReadinessGate) + + // ClaimTemplates allows adding additional VolumeClaimTemplates for StatefulSet + claimTemplates?: [...v1.#PersistentVolumeClaim] @go(ClaimTemplates,[]v1.PersistentVolumeClaim) +} + +#VMBackup: { + // AcceptEULA accepts enterprise feature usage, must be set to true. + // otherwise backupmanager cannot be added to single/cluster version. + // https://victoriametrics.com/legal/esa/ + // +optional + acceptEULA: bool @go(AcceptEULA) + + // SnapshotCreateURL overwrites url for snapshot create + // +optional + snapshotCreateURL?: string @go(SnapshotCreateURL) + + // SnapShotDeleteURL overwrites url for snapshot delete + // +optional + snapshotDeleteURL?: string @go(SnapShotDeleteURL) + + // Defines number of concurrent workers. Higher concurrency may reduce backup duration (default 10) + // +optional + concurrency?: null | int32 @go(Concurrency,*int32) + + // Defines destination for backup + destination?: string @go(Destination) + + // DestinationDisableSuffixAdd - disables suffix adding for cluster version backups + // each vmstorage backup must have unique backup folder + // so operator adds POD_NAME as suffix for backup destination folder. + // +optional + destinationDisableSuffixAdd?: bool @go(DestinationDisableSuffixAdd) + + // Custom S3 endpoint for use with S3-compatible storages (e.g. MinIO). S3 is used if not set + // +optional + customS3Endpoint?: null | string @go(CustomS3Endpoint,*string) + + // CredentialsSecret is secret in the same namespace for access to remote storage + // The secret is mounted into /etc/vm/creds. + // +optional + credentialsSecret?: null | v1.#SecretKeySelector @go(CredentialsSecret,*v1.SecretKeySelector) + + // Defines if hourly backups disabled (default false) + // +optional + disableHourly?: null | bool @go(DisableHourly,*bool) + + // Defines if daily backups disabled (default false) + // +optional + disableDaily?: null | bool @go(DisableDaily,*bool) + + // Defines if weekly backups disabled (default false) + // +optional + disableWeekly?: null | bool @go(DisableWeekly,*bool) + + // Defines if monthly backups disabled (default false) + // +optional + disableMonthly?: null | bool @go(DisableMonthly,*bool) + + // Image - docker image settings for VMBackuper + // +optional + image?: #Image @go(Image) + + // Port for health check connections + port?: string @go(Port) + + // LogFormat for VMSelect to be configured with. + // default or json + // +optional + // +kubebuilder:validation:Enum=default;json + logFormat?: null | string @go(LogFormat,*string) + + // LogLevel for VMSelect to be configured with. + // +optional + // +kubebuilder:validation:Enum=INFO;WARN;ERROR;FATAL;PANIC + logLevel?: null | string @go(LogLevel,*string) + + // Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // if not defined default resources from operator config will be used + // +optional + resources?: v1.#ResourceRequirements @go(Resources) + + // extra args like maxBytesPerSecond default 0 + // +optional + extraArgs?: {[string]: string} @go(ExtraArgs,map[string]string) + + // +optional + extraEnvs?: [...v1.#EnvVar] @go(ExtraEnvs,[]v1.EnvVar) + + // VolumeMounts allows configuration of additional VolumeMounts on the output Deployment definition. + // VolumeMounts specified will be appended to other VolumeMounts in the vmbackupmanager container, + // that are generated as a result of StorageSpec objects. + // +optional + volumeMounts?: [...v1.#VolumeMount] @go(VolumeMounts,[]v1.VolumeMount) + + // Restore Allows to enable restore options for pod + // Read more: https://docs.victoriametrics.com/vmbackupmanager.html#restore-commands + // +optional + restore?: null | #VMRestore @go(Restore,*VMRestore) +} + +#VMRestore: { + // OnStart defines configuration for restore on pod start + // +optional + onStart?: null | #VMRestoreOnStartConfig @go(OnStart,*VMRestoreOnStartConfig) +} + +#VMRestoreOnStartConfig: { + // Enabled defines if restore on start enabled + // +optional + enabled?: bool @go(Enabled) +} + +// Image defines docker image settings +#Image: { + // Repository contains name of docker image + it's repository if needed + repository?: string @go(Repository) + + // Tag contains desired docker image version + tag?: string @go(Tag) + + // PullPolicy describes how to pull docker image + pullPolicy?: v1.#PullPolicy @go(PullPolicy) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmnodescrape_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmnodescrape_types_go_gen.cue new file mode 100644 index 000000000..9c51eb243 --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmnodescrape_types_go_gen.cue @@ -0,0 +1,142 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import ( + "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// VMNodeScrapeSpec defines specification for VMNodeScrape. +#VMNodeScrapeSpec: { + // The label to use to retrieve the job name from. + // +optional + jobLabel?: string @go(JobLabel) + + // TargetLabels transfers labels on the Kubernetes Node onto the target. + // +optional + targetLabels?: [...string] @go(TargetLabels,[]string) + + // Name of the port exposed at Node. + // +optional + port?: string @go(Port) + + // HTTP path to scrape for metrics. + // +optional + path?: string @go(Path) + + // HTTP scheme to use for scraping. + // +optional + // +kubebuilder:validation:Enum=http;https + scheme?: string @go(Scheme) + + // Optional HTTP URL parameters + // +optional + params?: {[string]: [...string]} @go(Params,map[string][]string) + + // FollowRedirects controls redirects for scraping. + // +optional + follow_redirects?: null | bool @go(FollowRedirects,*bool) + + // Interval at which metrics should be scraped + // +optional + interval?: string @go(Interval) + + // ScrapeInterval is the same as Interval and has priority over it. + // one of scrape_interval or interval can be used + // +optional + scrape_interval?: string @go(ScrapeInterval) + + // Timeout after which the scrape is ended + // +optional + scrapeTimeout?: string @go(ScrapeTimeout) + + // OAuth2 defines auth configuration + // +optional + oauth2?: null | #OAuth2 @go(OAuth2,*OAuth2) + + // Authorization with http header Authorization + // +optional + authorization?: null | #Authorization @go(Authorization,*Authorization) + + // +optional + tlsConfig?: null | #TLSConfig @go(TLSConfig,*TLSConfig) + + // File to read bearer token for scraping targets. + // +optional + bearerTokenFile?: string @go(BearerTokenFile) + + // Secret to mount to read bearer token for scraping targets. The secret + // needs to be accessible by + // the victoria-metrics operator. + // +optional + // +nullable + bearerTokenSecret?: null | v1.#SecretKeySelector @go(BearerTokenSecret,*v1.SecretKeySelector) + + // HonorLabels chooses the metric's labels on collisions with target labels. + // +optional + honorLabels?: bool @go(HonorLabels) + + // HonorTimestamps controls whether vmagent respects the timestamps present in scraped data. + // +optional + honorTimestamps?: null | bool @go(HonorTimestamps,*bool) + + // BasicAuth allow an endpoint to authenticate over basic authentication + // More info: https://prometheus.io/docs/operating/configuration/#endpoints + // +optional + basicAuth?: null | #BasicAuth @go(BasicAuth,*BasicAuth) + + // MetricRelabelConfigs to apply to samples before ingestion. + // +optional + metricRelabelConfigs?: [...null | #RelabelConfig] @go(MetricRelabelConfigs,[]*RelabelConfig) + + // RelabelConfigs to apply to samples before scraping. + // More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + // +optional + relabelConfigs?: [...null | #RelabelConfig] @go(RelabelConfigs,[]*RelabelConfig) + + // ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. + // +optional + proxyURL?: null | string @go(ProxyURL,*string) + + // Selector to select kubernetes Nodes. + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.displayName="Service selector" + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.x-descriptors="urn:alm:descriptor:com.tectonic.ui:selector:" + // +optional + selector?: metav1.#LabelSelector @go(Selector) + + // SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + // +optional + sampleLimit?: uint64 @go(SampleLimit) + + // VMScrapeParams defines VictoriaMetrics specific scrape parametrs + // +optional + vm_scrape_params?: null | #VMScrapeParams @go(VMScrapeParams,*VMScrapeParams) +} + +// VMNodeScrapeStatus defines the observed state of VMNodeScrape +#VMNodeScrapeStatus: { +} + +// VMNodeScrape defines discovery for targets placed on kubernetes nodes, +// usually its node-exporters and other host services. +// InternalIP is used as __address__ for scraping. +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +genclient +#VMNodeScrape: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec?: #VMNodeScrapeSpec @go(Spec) + status?: #VMNodeScrapeStatus @go(Status) +} + +// VMNodeScrapeList contains a list of VMNodeScrape +#VMNodeScrapeList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#VMNodeScrape] @go(Items,[]VMNodeScrape) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmpodscrape_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmpodscrape_types_go_gen.cue new file mode 100644 index 000000000..c655e9482 --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmpodscrape_types_go_gen.cue @@ -0,0 +1,189 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/api/core/v1" +) + +// VMPodScrapeSpec defines the desired state of VMPodScrape +#VMPodScrapeSpec: { + // The label to use to retrieve the job name from. + // +optional + jobLabel?: string @go(JobLabel) + + // PodTargetLabels transfers labels on the Kubernetes Pod onto the target. + // +optional + podTargetLabels?: [...string] @go(PodTargetLabels,[]string) + + // A list of endpoints allowed as part of this PodMonitor. + podMetricsEndpoints: [...#PodMetricsEndpoint] @go(PodMetricsEndpoints,[]PodMetricsEndpoint) + + // Selector to select Pod objects. + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.displayName="Pod selector" + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.x-descriptors="urn:alm:descriptor:com.tectonic.ui:selector:" + // +optional + selector?: metav1.#LabelSelector @go(Selector) + + // Selector to select which namespaces the Endpoints objects are discovered from. + // +optional + namespaceSelector?: #NamespaceSelector @go(NamespaceSelector) + + // SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + // +optional + sampleLimit?: uint64 @go(SampleLimit) +} + +// VMPodScrapeStatus defines the observed state of VMPodScrape +#VMPodScrapeStatus: { +} + +// VMPodScrape is scrape configuration for pods, +// it generates vmagent's config for scraping pod targets +// based on selectors. +// +operator-sdk:gen-csv:customresourcedefinitions.displayName="VMPodScrape" +// +kubebuilder:subresource:status +// +kubebuilder:resource:path=vmpodscrapes,scope=Namespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +genclient +#VMPodScrape: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec?: #VMPodScrapeSpec @go(Spec) + + // +optional + status: #VMPodScrapeStatus @go(Status) +} + +// VMPodScrapeList contains a list of VMPodScrape +#VMPodScrapeList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#VMPodScrape] @go(Items,[]VMPodScrape) +} + +// PodMetricsEndpoint defines a scrapeable endpoint of a Kubernetes Pod serving Prometheus metrics. +// +k8s:openapi-gen=true +#PodMetricsEndpoint: { + // Name of the pod port this endpoint refers to. Mutually exclusive with targetPort. + // +optional + port?: string @go(Port) + + // Deprecated: Use 'port' instead. + // +optional + targetPort?: null | intstr.#IntOrString @go(TargetPort,*intstr.IntOrString) + + // HTTP path to scrape for metrics. + // +optional + path?: string @go(Path) + + // HTTP scheme to use for scraping. + // +optional + // +kubebuilder:validation:Enum=http;https + scheme?: string @go(Scheme) + + // Optional HTTP URL parameters + // +optional + params?: {[string]: [...string]} @go(Params,map[string][]string) + + // FollowRedirects controls redirects for scraping. + // +optional + follow_redirects?: null | bool @go(FollowRedirects,*bool) + + // Interval at which metrics should be scraped + // +optional + interval?: string @go(Interval) + + // ScrapeInterval is the same as Interval and has priority over it. + // one of scrape_interval or interval can be used + // +optional + scrape_interval?: string @go(ScrapeInterval) + + // Timeout after which the scrape is ended + // +optional + scrapeTimeout?: string @go(ScrapeTimeout) + + // SampleLimit defines per-podEndpoint limit on number of scraped samples that will be accepted. + // +optional + sampleLimit?: uint64 @go(SampleLimit) + + // HonorLabels chooses the metric's labels on collisions with target labels. + // +optional + honorLabels?: bool @go(HonorLabels) + + // HonorTimestamps controls whether vmagent respects the timestamps present in scraped data. + // +optional + honorTimestamps?: null | bool @go(HonorTimestamps,*bool) + + // MetricRelabelConfigs to apply to samples before ingestion. + // +optional + metricRelabelConfigs?: [...null | #RelabelConfig] @go(MetricRelabelConfigs,[]*RelabelConfig) + + // RelabelConfigs to apply to samples before ingestion. + // More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + // +optional + relabelConfigs?: [...null | #RelabelConfig] @go(RelabelConfigs,[]*RelabelConfig) + + // ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. + // +optional + proxyURL?: null | string @go(ProxyURL,*string) + + // BasicAuth allow an endpoint to authenticate over basic authentication + // More info: https://prometheus.io/docs/operating/configuration/#endpoints + // +optional + basicAuth?: null | #BasicAuth @go(BasicAuth,*BasicAuth) + + // File to read bearer token for scraping targets. + // +optional + bearerTokenFile?: string @go(BearerTokenFile) + + // Secret to mount to read bearer token for scraping targets. The secret + // needs to be in the same namespace as the service scrape and accessible by + // the victoria-metrics operator. + // +optional + // +nullable + bearerTokenSecret?: null | v1.#SecretKeySelector @go(BearerTokenSecret,*v1.SecretKeySelector) + + // TLSConfig configuration to use when scraping the endpoint + // +optional + tlsConfig?: null | #TLSConfig @go(TLSConfig,*TLSConfig) + + // OAuth2 defines auth configuration + // +optional + oauth2?: null | #OAuth2 @go(OAuth2,*OAuth2) + + // Authorization with http header Authorization + // +optional + authorization?: null | #Authorization @go(Authorization,*Authorization) + + // VMScrapeParams defines VictoriaMetrics specific scrape parametrs + // +optional + vm_scrape_params?: null | #VMScrapeParams @go(VMScrapeParams,*VMScrapeParams) + + // AttachMetadata configures metadata attaching from service discovery + // +optional + attach_metadata?: #AttachMetadata @go(AttachMetadata) + + // FilterRunning applies filter with pod status == running + // it prevents from scrapping metrics at failed or succeed state pods. + // enabled by default + // +optional + filterRunning?: null | bool @go(FilterRunning,*bool) +} + +// ArbitraryFSAccessThroughSMsConfig enables users to configure, whether +// a service scrape selected by the vmagent instance is allowed to use +// arbitrary files on the file system of the vmagent container. This is the case +// when e.g. a service scrape specifies a BearerTokenFile in an endpoint. A +// malicious user could create a service scrape selecting arbitrary secret files +// in the vmagent container. Those secrets would then be sent with a scrape +// request by vmagent to a malicious target. Denying the above would prevent the +// attack, users can instead use the BearerTokenSecret field. +#ArbitraryFSAccessThroughSMsConfig: { + deny?: bool @go(Deny) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmprobe_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmprobe_types_go_gen.cue new file mode 100644 index 000000000..0ef334283 --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmprobe_types_go_gen.cue @@ -0,0 +1,164 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import ( + "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// VMProbeSpec contains specification parameters for a Probe. +// +k8s:openapi-gen=true +#VMProbeSpec: { + // The job name assigned to scraped metrics by default. + jobName?: string @go(JobName) + + // Specification for the prober to use for probing targets. + // The prober.URL parameter is required. Targets cannot be probed if left empty. + vmProberSpec: #VMProberSpec @go(VMProberSpec) + + // The module to use for probing specifying how to probe the target. + // Example module configuring in the blackbox exporter: + // https://github.com/prometheus/blackbox_exporter/blob/master/example.yml + module?: string @go(Module) + + // Targets defines a set of static and/or dynamically discovered targets to be probed using the prober. + targets?: #VMProbeTargets @go(Targets) + + // Interval at which targets are probed using the configured prober. + // If not specified Prometheus' global scrape interval is used. + interval?: string @go(Interval) + + // ScrapeInterval is the same as Interval and has priority over it. + // one of scrape_interval or interval can be used + // +optional + scrape_interval?: string @go(ScrapeInterval) + + // Timeout for scraping metrics from the Prometheus exporter. + scrapeTimeout?: string @go(ScrapeTimeout) + + // Optional HTTP URL parameters + // +optional + params?: {[string]: [...string]} @go(Params,map[string][]string) + + // FollowRedirects controls redirects for scraping. + // +optional + follow_redirects?: null | bool @go(FollowRedirects,*bool) + + // SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + // +optional + sampleLimit?: uint64 @go(SampleLimit) + + // File to read bearer token for scraping targets. + // +optional + bearerTokenFile?: string @go(BearerTokenFile) + + // Secret to mount to read bearer token for scraping targets. The secret + // needs to be in the same namespace as the service scrape and accessible by + // the victoria-metrics operator. + // +optional + // +nullable + bearerTokenSecret?: null | v1.#SecretKeySelector @go(BearerTokenSecret,*v1.SecretKeySelector) + + // BasicAuth allow an endpoint to authenticate over basic authentication + // More info: https://prometheus.io/docs/operating/configuration/#endpoints + // +optional + basicAuth?: null | #BasicAuth @go(BasicAuth,*BasicAuth) + + // OAuth2 defines auth configuration + // +optional + oauth2?: null | #OAuth2 @go(OAuth2,*OAuth2) + + // Authorization with http header Authorization + // +optional + authorization?: null | #Authorization @go(Authorization,*Authorization) + + // TLSConfig configuration to use when scraping the endpoint + // +optional + tlsConfig?: null | #TLSConfig @go(TLSConfig,*TLSConfig) + + // VMScrapeParams defines VictoriaMetrics specific scrape parametrs + // +optional + vm_scrape_params?: null | #VMScrapeParams @go(VMScrapeParams,*VMScrapeParams) +} + +// VMProbeTargets defines a set of static and dynamically discovered targets for the prober. +// +k8s:openapi-gen=true +#VMProbeTargets: { + // StaticConfig defines static targets which are considers for probing. + // More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#static_config. + staticConfig?: null | #VMProbeTargetStaticConfig @go(StaticConfig,*VMProbeTargetStaticConfig) + + // Ingress defines the set of dynamically discovered ingress objects which hosts are considered for probing. + ingress?: null | #ProbeTargetIngress @go(Ingress,*ProbeTargetIngress) +} + +// VMProbeTargetStaticConfig defines the set of static targets considered for probing. +// +k8s:openapi-gen=true +#VMProbeTargetStaticConfig: { + // Targets is a list of URLs to probe using the configured prober. + targets: [...string] @go(Targets,[]string) + + // Labels assigned to all metrics scraped from the targets. + labels?: {[string]: string} @go(Labels,map[string]string) + + // More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + relabelingConfigs?: [...null | #RelabelConfig] @go(RelabelConfigs,[]*RelabelConfig) +} + +// ProbeTargetIngress defines the set of Ingress objects considered for probing. +// +k8s:openapi-gen=true +#ProbeTargetIngress: { + // Select Ingress objects by labels. + selector?: metav1.#LabelSelector @go(Selector) + + // Select Ingress objects by namespace. + namespaceSelector?: #NamespaceSelector @go(NamespaceSelector) + + // RelabelConfigs to apply to samples before ingestion. + // More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + relabelingConfigs?: [...null | #RelabelConfig] @go(RelabelConfigs,[]*RelabelConfig) +} + +// VMProberSpec contains specification parameters for the Prober used for probing. +// +k8s:openapi-gen=true +#VMProberSpec: { + // Mandatory URL of the prober. + url: string @go(URL) + + // HTTP scheme to use for scraping. + // Defaults to `http`. + // +optional + // +kubebuilder:validation:Enum=http;https + scheme?: string @go(Scheme) + + // Path to collect metrics from. + // Defaults to `/probe`. + path?: string @go(Path) +} + +// VMProbeStatus defines the observed state of VMProbe +#VMProbeStatus: { +} + +// VMProbe defines a probe for targets, that will be executed with prober, +// like blackbox exporter. +// It helps to monitor reachability of target with various checks. +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +#VMProbe: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec: #VMProbeSpec @go(Spec) + status?: #VMProbeStatus @go(Status) +} + +// VMProbeList contains a list of VMProbe +// +kubebuilder:object:root=true +#VMProbeList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#VMProbe] @go(Items,[]VMProbe) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmrule_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmrule_types_go_gen.cue new file mode 100644 index 000000000..529120906 --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmrule_types_go_gen.cue @@ -0,0 +1,160 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import ( + "pkg.go.dev/net/url" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// VMRuleSpec defines the desired state of VMRule +#VMRuleSpec: { + // Groups list of group rules + groups: [...#RuleGroup] @go(Groups,[]RuleGroup) +} + +// RuleGroup is a list of sequentially evaluated recording and alerting rules. +// +k8s:openapi-gen=true +#RuleGroup: { + // Name of group + name: string @go(Name) + + // evaluation interval for group + // +optional + interval?: string @go(Interval) + + // Rules list of alert rules + rules: [...#Rule] @go(Rules,[]Rule) + + // Limit the number of alerts an alerting rule and series a recording + // rule can produce + // +optional + limit?: int @go(Limit) + + // Concurrency defines how many rules execute at once. + // +optional + concurrency?: int @go(Concurrency) + + // Labels optional list of labels added to every rule within a group. + // It has priority over the external labels. + // Labels are commonly used for adding environment + // or tenant-specific tag. + // +optional + labels?: {[string]: string} @go(Labels,map[string]string) + + // ExtraFilterLabels optional list of label filters applied to every rule's + // request withing a group. Is compatible only with VM datasource. + // See more details at https://docs.victoriametrics.com#prometheus-querying-api-enhancements + // Deprecated, use params instead + // +optional + extra_filter_labels?: {[string]: string} @go(ExtraFilterLabels,map[string]string) + + // Tenant id for group, can be used only with enterprise version of vmalert + // See more details at https://docs.victoriametrics.com/vmalert.html#multitenancy + // +optional + tenant?: string @go(Tenant) + + // Params optional HTTP URL parameters added to each rule request + // +optional + params?: url.#Values @go(Params) + + // Type defines datasource type for enterprise version of vmalert + // possible values - prometheus,graphite + // +optional + type?: string @go(Type) + + // Headers contains optional HTTP headers added to each rule request + // Must be in form `header-name: value` + // For example: + // headers: + // - "CustomHeader: foo" + // - "CustomHeader2: bar" + // +optional + headers?: [...string] @go(Headers,[]string) + + // NotifierHeaders contains optional HTTP headers added to each alert request which will send to notifier + // Must be in form `header-name: value` + // For example: + // headers: + // - "CustomHeader: foo" + // - "CustomHeader2: bar" + // +optional + notifier_headers?: [...string] @go(NotifierHeaders,[]string) +} + +// Rule describes an alerting or recording rule. +// +k8s:openapi-gen=true +#Rule: { + // Record represents a query, that will be recorded to dataSource + // +optional + record?: string @go(Record) + + // Alert is a name for alert + // +optional + alert?: string @go(Alert) + + // Expr is query, that will be evaluated at dataSource + // +optional + expr: string @go(Expr) + + // Debug enables logging for rule + // it useful for tracking + // +optional + debug?: null | bool @go(Debug,*bool) + + // For evaluation interval in time.Duration format + // 30s, 1m, 1h or nanoseconds + // +optional + for?: string @go(For) + + // KeepFiringFor will make alert continue firing for this long + // even when the alerting expression no longer has results. + // Use time.Duration format, 30s, 1m, 1h or nanoseconds + // +optional + keep_firing_for?: string @go(KeepFiringFor) + + // Labels will be added to rule configuration + // +optional + labels?: {[string]: string} @go(Labels,map[string]string) + + // Annotations will be added to rule configuration + // +optional + annotations?: {[string]: string} @go(Annotations,map[string]string) + + // UpdateEntriesLimit defines max number of rule's state updates stored in memory. + // Overrides `-rule.updateEntriesLimit` in vmalert. + // +optional + update_entries_limit?: null | int @go(UpdateEntriesLimit,*int) +} + +// VMRuleStatus defines the observed state of VMRule +#VMRuleStatus: { +} + +// VMRule defines rule records for vmalert application +// +operator-sdk:gen-csv:customresourcedefinitions.displayName="VMRule" +// +kubebuilder:subresource:status +// +kubebuilder:resource:path=vmrules,scope=Namespaced +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#VMRule: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec: #VMRuleSpec @go(Spec) + + // +optional + status?: #VMRuleStatus @go(Status) +} + +// VMRuleList contains a list of VMRule +#VMRuleList: { + metav1.#TypeMeta + + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) + + // Items list of VMRule + items: [...null | #VMRule] @go(Items,[]*VMRule) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmservicescrape_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmservicescrape_types_go_gen.cue new file mode 100644 index 000000000..bc611b97a --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmservicescrape_types_go_gen.cue @@ -0,0 +1,383 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/api/core/v1" +) + +// VMServiceScrapeSpec defines the desired state of VMServiceScrape +#VMServiceScrapeSpec: { + // DiscoveryRole - defines kubernetes_sd role for objects discovery. + // by default, its endpoints. + // can be changed to service or endpointslices. + // note, that with service setting, you have to use port: "name" + // and cannot use targetPort for endpoints. + // +optional + // +kubebuilder:validation:Enum=endpoints;service;endpointslices + discoveryRole?: string @go(DiscoveryRole) + + // The label to use to retrieve the job name from. + // +optional + jobLabel?: string @go(JobLabel) + + // TargetLabels transfers labels on the Kubernetes Service onto the target. + // +optional + targetLabels?: [...string] @go(TargetLabels,[]string) + + // PodTargetLabels transfers labels on the Kubernetes Pod onto the target. + // +optional + podTargetLabels?: [...string] @go(PodTargetLabels,[]string) + + // A list of endpoints allowed as part of this ServiceScrape. + endpoints: [...#Endpoint] @go(Endpoints,[]Endpoint) + + // Selector to select Endpoints objects by corresponding Service labels. + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.displayName="Service selector" + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.x-descriptors="urn:alm:descriptor:com.tectonic.ui:selector:" + // +optional + selector?: metav1.#LabelSelector @go(Selector) + + // Selector to select which namespaces the Endpoints objects are discovered from. + // +optional + namespaceSelector?: #NamespaceSelector @go(NamespaceSelector) + + // SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + // +optional + sampleLimit?: uint64 @go(SampleLimit) +} + +// VMServiceScrapeStatus defines the observed state of VMServiceScrape +#VMServiceScrapeStatus: { +} + +// VMServiceScrape is scrape configuration for endpoints associated with +// kubernetes service, +// it generates scrape configuration for vmagent based on selectors. +// result config will scrape service endpoints +// +operator-sdk:gen-csv:customresourcedefinitions.displayName="VMServiceScrape" +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:subresource:status +// +kubebuilder:resource:path=vmservicescrapes,scope=Namespaced +// +genclient +#VMServiceScrape: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec: #VMServiceScrapeSpec @go(Spec) + status?: #VMServiceScrapeStatus @go(Status) +} + +// VMServiceScrapeList contains a list of VMServiceScrape +#VMServiceScrapeList: { + metav1.#TypeMeta + + // +optional + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#VMServiceScrape] @go(Items,[]VMServiceScrape) +} + +// NamespaceSelector is a selector for selecting either all namespaces or a +// list of namespaces. +// +k8s:openapi-gen=true +#NamespaceSelector: { + // Boolean describing whether all namespaces are selected in contrast to a + // list restricting them. + // +optional + any?: bool @go(Any) + + // List of namespace names. + // +optional + matchNames?: [...string] @go(MatchNames,[]string) +} + +_#nsMatcher: _ + +// Endpoint defines a scrapeable endpoint serving Prometheus metrics. +// +k8s:openapi-gen=true +#Endpoint: { + // Name of the service port this endpoint refers to. Mutually exclusive with targetPort. + // +optional + port?: string @go(Port) + + // Name or number of the pod port this endpoint refers to. Mutually exclusive with port. + // +optional + targetPort?: null | intstr.#IntOrString @go(TargetPort,*intstr.IntOrString) + + // HTTP path to scrape for metrics. + // +optional + path?: string @go(Path) + + // HTTP scheme to use for scraping. + // +optional + // +kubebuilder:validation:Enum=http;https + scheme?: string @go(Scheme) + + // Optional HTTP URL parameters + // +optional + params?: {[string]: [...string]} @go(Params,map[string][]string) + + // FollowRedirects controls redirects for scraping. + // +optional + follow_redirects?: null | bool @go(FollowRedirects,*bool) + + // Interval at which metrics should be scraped + // +optional + interval?: string @go(Interval) + + // ScrapeInterval is the same as Interval and has priority over it. + // one of scrape_interval or interval can be used + // +optional + scrape_interval?: string @go(ScrapeInterval) + + // Timeout after which the scrape is ended + // +optional + scrapeTimeout?: string @go(ScrapeTimeout) + + // SampleLimit defines per-endpoint limit on number of scraped samples that will be accepted. + // +optional + sampleLimit?: uint64 @go(SampleLimit) + + // OAuth2 defines auth configuration + // +optional + oauth2?: null | #OAuth2 @go(OAuth2,*OAuth2) + + // Authorization with http header Authorization + // +optional + authorization?: null | #Authorization @go(Authorization,*Authorization) + + // TLSConfig configuration to use when scraping the endpoint + // +optional + tlsConfig?: null | #TLSConfig @go(TLSConfig,*TLSConfig) + + // File to read bearer token for scraping targets. + // +optional + bearerTokenFile?: string @go(BearerTokenFile) + + // Secret to mount to read bearer token for scraping targets. The secret + // needs to be in the same namespace as the service scrape and accessible by + // the victoria-metrics operator. + // +optional + // +nullable + bearerTokenSecret?: null | v1.#SecretKeySelector @go(BearerTokenSecret,*v1.SecretKeySelector) + + // HonorLabels chooses the metric's labels on collisions with target labels. + // +optional + honorLabels?: bool @go(HonorLabels) + + // HonorTimestamps controls whether vmagent respects the timestamps present in scraped data. + // +optional + honorTimestamps?: null | bool @go(HonorTimestamps,*bool) + + // BasicAuth allow an endpoint to authenticate over basic authentication + // More info: https://prometheus.io/docs/operating/configuration/#endpoints + // +optional + basicAuth?: null | #BasicAuth @go(BasicAuth,*BasicAuth) + + // MetricRelabelConfigs to apply to samples before ingestion. + // +optional + metricRelabelConfigs?: [...null | #RelabelConfig] @go(MetricRelabelConfigs,[]*RelabelConfig) + + // RelabelConfigs to apply to samples before scraping. + // More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + // +optional + relabelConfigs?: [...null | #RelabelConfig] @go(RelabelConfigs,[]*RelabelConfig) + + // ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. + // +optional + proxyURL?: null | string @go(ProxyURL,*string) + + // VMScrapeParams defines VictoriaMetrics specific scrape parametrs + // +optional + vm_scrape_params?: null | #VMScrapeParams @go(VMScrapeParams,*VMScrapeParams) + + // AttachMetadata configures metadata attaching from service discovery + // +optional + attach_metadata?: #AttachMetadata @go(AttachMetadata) +} + +// AttachMetadata configures metadata attachment +#AttachMetadata: { + // Node instructs vmagent to add node specific metadata from service discovery + // Valid for roles: pod, endpoints, endpointslice. + // +optional + node?: null | bool @go(Node,*bool) +} + +// VMScrapeParams defines scrape target configuration that compatible only with VictoriaMetrics scrapers +// VMAgent and VMSingle +#VMScrapeParams: { + // +optional + relabel_debug?: null | bool @go(RelabelDebug,*bool) + + // +optional + metric_relabel_debug?: null | bool @go(MetricRelabelDebug,*bool) + + // +optional + disable_compression?: null | bool @go(DisableCompression,*bool) + + // +optional + disable_keep_alive?: null | bool @go(DisableKeepAlive,*bool) + + // +optional + no_stale_markers?: null | bool @go(DisableStaleMarkers,*bool) + + // +optional + stream_parse?: null | bool @go(StreamParse,*bool) + + // +optional + scrape_align_interval?: null | string @go(ScrapeAlignInterval,*string) + + // +optional + scrape_offset?: null | string @go(ScrapeOffset,*string) + + // ProxyClientConfig configures proxy auth settings for scraping + // See feature description https://docs.victoriametrics.com/vmagent.html#scraping-targets-via-a-proxy + // +optional + proxy_client_config?: null | #ProxyAuth @go(ProxyClientConfig,*ProxyAuth) + + // Headers allows sending custom headers to scrape targets + // must be in of semicolon separated header with it's value + // eg: + // headerName: headerValue + // vmagent supports since 1.79.0 version + // +optional + headers?: [...string] @go(Headers,[]string) +} + +// ProxyAuth represent proxy auth config +// Only VictoriaMetrics scrapers supports it. +// See https://github.com/VictoriaMetrics/VictoriaMetrics/commit/a6a71ef861444eb11fe8ec6d2387f0fc0c4aea87 +#ProxyAuth: { + basic_auth?: null | #BasicAuth @go(BasicAuth,*BasicAuth) + bearer_token?: null | v1.#SecretKeySelector @go(BearerToken,*v1.SecretKeySelector) + bearer_token_file?: string @go(BearerTokenFile) + tls_config?: null | #TLSConfig @go(TLSConfig,*TLSConfig) +} + +// OAuth2 defines OAuth2 configuration +#OAuth2: { + // The secret or configmap containing the OAuth2 client id + // +required + client_id: #SecretOrConfigMap @go(ClientID) + + // The secret containing the OAuth2 client secret + // +optional + client_secret?: null | v1.#SecretKeySelector @go(ClientSecret,*v1.SecretKeySelector) + + // ClientSecretFile defines path for client secret file. + // +optional + client_secret_file?: string @go(ClientSecretFile) + + // The URL to fetch the token from + // +kubebuilder:validation:MinLength=1 + // +required + token_url: string @go(TokenURL) + + // OAuth2 scopes used for the token request + // +optional + scopes?: [...string] @go(Scopes,[]string) + + // Parameters to append to the token URL + // +optional + endpoint_params?: {[string]: string} @go(EndpointParams,map[string]string) +} + +// Authorization configures generic authorization params +#Authorization: { + // Type of authorization, default to bearer + // +optional + type?: string @go(Type) + + // Reference to the secret with value for authorization + credentials?: null | v1.#SecretKeySelector @go(Credentials,*v1.SecretKeySelector) + + // File with value for authorization + // +optional + credentialsFile?: string @go(CredentialsFile) +} + +// TLSConfig specifies TLSConfig configuration parameters. +// +k8s:openapi-gen=true +#TLSConfig: { + // Path to the CA cert in the container to use for the targets. + // +optional + caFile?: string @go(CAFile) + + // Stuct containing the CA cert to use for the targets. + // +optional + ca?: #SecretOrConfigMap @go(CA) + + // Path to the client cert file in the container for the targets. + // +optional + certFile?: string @go(CertFile) + + // Struct containing the client cert file for the targets. + // +optional + cert?: #SecretOrConfigMap @go(Cert) + + // Path to the client key file in the container for the targets. + // +optional + keyFile?: string @go(KeyFile) + + // Secret containing the client key file for the targets. + // +optional + keySecret?: null | v1.#SecretKeySelector @go(KeySecret,*v1.SecretKeySelector) + + // Used to verify the hostname for the targets. + // +optional + serverName?: string @go(ServerName) + + // Disable target certificate validation. + // +optional + insecureSkipVerify?: bool @go(InsecureSkipVerify) +} + +// SecretOrConfigMap allows to specify data as a Secret or ConfigMap. Fields are mutually exclusive. +#SecretOrConfigMap: { + // Secret containing data to use for the targets. + // +optional + secret?: null | v1.#SecretKeySelector @go(Secret,*v1.SecretKeySelector) + + // ConfigMap containing data to use for the targets. + // +optional + configMap?: null | v1.#ConfigMapKeySelector @go(ConfigMap,*v1.ConfigMapKeySelector) +} + +// RelabelConfig allows dynamic rewriting of the label set, being applied to samples before ingestion. +// It defines ``-section of configuration. +// More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs +// +k8s:openapi-gen=true +#RelabelConfig: _ + +// APIServerConfig defines a host and auth methods to access apiserver. +// More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config +// +k8s:openapi-gen=true +#APIServerConfig: { + // Host of apiserver. + // A valid string consisting of a hostname or IP followed by an optional port number + host: string @go(Host) + + // BasicAuth allow an endpoint to authenticate over basic authentication + // +optional + basicAuth?: null | #BasicAuth @go(BasicAuth,*BasicAuth) + + // Bearer token for accessing apiserver. + // +optional + bearerToken?: string @go(BearerToken) + + // File to read bearer token for accessing apiserver. + // +optional + bearerTokenFile?: string @go(BearerTokenFile) + + // TLSConfig Config to use for accessing apiserver. + // +optional + tlsConfig?: null | #TLSConfig @go(TLSConfig,*TLSConfig) + + // +optional + authorization?: null | #Authorization @go(Authorization,*Authorization) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmsingle_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmsingle_types_go_gen.cue new file mode 100644 index 000000000..ef554f187 --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmsingle_types_go_gen.cue @@ -0,0 +1,69 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +#SingleStatusExpanding: #SingleStatus & "expanding" +#SingleStatusOperational: #SingleStatus & "operational" +#SingleStatusFailed: #SingleStatus & "failed" + +#SingleStatus: string // #enumSingleStatus + +#enumSingleStatus: + #SingleStatusExpanding | + #SingleStatusOperational | + #SingleStatusFailed + +// VMSingleSpec defines the desired state of VMSingle +// +k8s:openapi-gen=true +// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of VMSingle" +// +kubebuilder:printcolumn:name="RetentionPeriod",type="string",JSONPath=".spec.RetentionPeriod",description="The desired RetentionPeriod for vm single" +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +#VMSingleSpec: _ + +// VMSingleStatus defines the observed state of VMSingle +// +k8s:openapi-gen=true +#VMSingleStatus: { + // ReplicaCount Total number of non-terminated pods targeted by this VMSingle. + replicas: int32 @go(Replicas) + + // UpdatedReplicas Total number of non-terminated pods targeted by this VMSingle. + updatedReplicas: int32 @go(UpdatedReplicas) + + // AvailableReplicas Total number of available pods (ready for at least minReadySeconds) targeted by this VMSingle. + availableReplicas: int32 @go(AvailableReplicas) + + // UnavailableReplicas Total number of unavailable pods targeted by this VMSingle. + unavailableReplicas: int32 @go(UnavailableReplicas) + singleStatus: #SingleStatus @go(SingleStatus) + reason?: string @go(Reason) +} + +// VMSingle is fast, cost-effective and scalable time-series database. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +operator-sdk:gen-csv:customresourcedefinitions.displayName="VMSingle App" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Deployment,apps" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Service,v1" +// +operator-sdk:gen-csv:customresourcedefinitions.resources="Secret,v1" +// +genclient +// +k8s:openapi-gen=true +// +kubebuilder:subresource:status +// +kubebuilder:resource:path=vmsingles,scope=Namespaced +// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.singleStatus",description="Current status of single node" +#VMSingle: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec?: #VMSingleSpec @go(Spec) + status?: #VMSingleStatus @go(Status) +} + +// VMSingleList contains a list of VMSingle +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +#VMSingleList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#VMSingle] @go(Items,[]VMSingle) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmstaticscrape_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmstaticscrape_types_go_gen.cue new file mode 100644 index 000000000..4bc1c614a --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmstaticscrape_types_go_gen.cue @@ -0,0 +1,147 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import ( + "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// VMStaticScrapeSpec defines the desired state of VMStaticScrape. +#VMStaticScrapeSpec: { + // JobName name of job. + jobName?: string @go(JobName) + + // A list of target endpoints to scrape metrics from. + targetEndpoints: [...null | #TargetEndpoint] @go(TargetEndpoints,[]*TargetEndpoint) + + // SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + // +optional + sampleLimit?: uint64 @go(SampleLimit) +} + +// TargetEndpoint defines single static target endpoint. +#TargetEndpoint: { + // Targets static targets addresses in form of ["192.122.55.55:9100","some-name:9100"]. + // +kubebuilder:validation:MinItems=1 + targets: [...string] @go(Targets,[]string) + + // Labels static labels for targets. + // +optional + labels?: {[string]: string} @go(Labels,map[string]string) + + // Default port for target. + // +optional + port?: string @go(Port) + + // HTTP path to scrape for metrics. + // +optional + path?: string @go(Path) + + // HTTP scheme to use for scraping. + // +optional + // +kubebuilder:validation:Enum=http;https + scheme?: string @go(Scheme) + + // Optional HTTP URL parameters + // +optional + params?: {[string]: [...string]} @go(Params,map[string][]string) + + // FollowRedirects controls redirects for scraping. + // +optional + follow_redirects?: null | bool @go(FollowRedirects,*bool) + + // SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + // +optional + sampleLimit?: uint64 @go(SampleLimit) + + // Interval at which metrics should be scraped + // +optional + interval?: string @go(Interval) + + // ScrapeInterval is the same as Interval and has priority over it. + // one of scrape_interval or interval can be used + // +optional + scrape_interval?: string @go(ScrapeInterval) + + // Timeout after which the scrape is ended + // +optional + scrapeTimeout?: string @go(ScrapeTimeout) + + // OAuth2 defines auth configuration + // +optional + oauth2?: null | #OAuth2 @go(OAuth2,*OAuth2) + + // TLSConfig configuration to use when scraping the endpoint + // +optional + tlsConfig?: null | #TLSConfig @go(TLSConfig,*TLSConfig) + + // File to read bearer token for scraping targets. + // +optional + bearerTokenFile?: string @go(BearerTokenFile) + + // Secret to mount to read bearer token for scraping targets. The secret + // needs to be in the same namespace as the service scrape and accessible by + // the victoria-metrics operator. + // +optional + // +nullable + bearerTokenSecret?: null | v1.#SecretKeySelector @go(BearerTokenSecret,*v1.SecretKeySelector) + + // BasicAuth allow an endpoint to authenticate over basic authentication + // More info: https://prometheus.io/docs/operating/configuration/#endpoints + // +optional + basicAuth?: null | #BasicAuth @go(BasicAuth,*BasicAuth) + + // Authorization with http header Authorization + // +optional + authorization?: null | #Authorization @go(Authorization,*Authorization) + + // MetricRelabelConfigs to apply to samples before ingestion. + // +optional + metricRelabelConfigs?: [...null | #RelabelConfig] @go(MetricRelabelConfigs,[]*RelabelConfig) + + // RelabelConfigs to apply to samples before scraping. + // More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + // +optional + relabelConfigs?: [...null | #RelabelConfig] @go(RelabelConfigs,[]*RelabelConfig) + + // ProxyURL eg http://proxyserver:2195 Directs scrapes to proxy through this endpoint. + // +optional + proxyURL?: null | string @go(ProxyURL,*string) + + // HonorLabels chooses the metric's labels on collisions with target labels. + // +optional + honorLabels?: bool @go(HonorLabels) + + // HonorTimestamps controls whether vmagent respects the timestamps present in scraped data. + // +optional + honorTimestamps?: null | bool @go(HonorTimestamps,*bool) + + // VMScrapeParams defines VictoriaMetrics specific scrape parametrs + // +optional + vm_scrape_params?: null | #VMScrapeParams @go(VMScrapeParams,*VMScrapeParams) +} + +// VMStaticScrapeStatus defines the observed state of VMStaticScrape +#VMStaticScrapeStatus: { +} + +// VMStaticScrape defines static targets configuration for scraping. +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +genclient +#VMStaticScrape: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec?: #VMStaticScrapeSpec @go(Spec) + status?: #VMStaticScrapeStatus @go(Status) +} + +// VMStaticScrapeList contains a list of VMStaticScrape +#VMStaticScrapeList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#VMStaticScrape] @go(Items,[]VMStaticScrape) +} diff --git a/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmuser_types_go_gen.cue b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmuser_types_go_gen.cue new file mode 100644 index 000000000..aa2cfba2a --- /dev/null +++ b/cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1/vmuser_types_go_gen.cue @@ -0,0 +1,188 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1 + +package v1beta1 + +import ( + "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// VMUserSpec defines the desired state of VMUser +#VMUserSpec: { + // Name of the VMUser object. + // +optional + name?: null | string @go(Name,*string) + + // UserName basic auth user name for accessing protected endpoint, + // will be replaced with metadata.name of VMUser if omitted. + // +optional + username?: null | string @go(UserName,*string) + + // Password basic auth password for accessing protected endpoint. + // +optional + password?: null | string @go(Password,*string) + + // PasswordRef allows fetching password from user-create secret by its name and key. + // +optional + passwordRef?: null | v1.#SecretKeySelector @go(PasswordRef,*v1.SecretKeySelector) + + // TokenRef allows fetching token from user-created secrets by its name and key. + // +optional + tokenRef?: null | v1.#SecretKeySelector @go(TokenRef,*v1.SecretKeySelector) + + // GeneratePassword instructs operator to generate password for user + // if spec.password if empty. + // +optional + generatePassword?: bool @go(GeneratePassword) + + // BearerToken Authorization header value for accessing protected endpoint. + // +optional + bearerToken?: null | string @go(BearerToken,*string) + + // TargetRefs - reference to endpoints, which user may access. + targetRefs: [...#TargetRef] @go(TargetRefs,[]TargetRef) + + // DefaultURLs backend url for non-matching paths filter + // usually used for default backend with error message + // +optional + default_url?: [...string] @go(DefaultURLs,[]string) + + // IPFilters defines per target src ip filters + // supported only with enterprise version of vmauth + // https://docs.victoriametrics.com/vmauth.html#ip-filters + // +optional + ip_filters?: #VMUserIPFilters @go(IPFilters) + + // Headers represent additional http headers, that vmauth uses + // in form of ["header_key: header_value"] + // multiple values for header key: + // ["header_key: value1,value2"] + // it's available since 1.68.0 version of vmauth + // +optional + headers?: [...string] @go(Headers,[]string) + + // ResponseHeaders represent additional http headers, that vmauth adds for request response + // in form of ["header_key: header_value"] + // multiple values for header key: + // ["header_key: value1,value2"] + // it's available since 1.93.0 version of vmauth + // +optional + response_headers?: [...string] @go(ResponseHeaders,[]string) + + // RetryStatusCodes defines http status codes in numeric format for request retries + // e.g. [429,503] + // +optional + retry_status_codes?: [...int] @go(RetryStatusCodes,[]int) + + // MaxConcurrentRequests defines max concurrent requests per user + // 300 is default value for vmauth + // +optional + max_concurrent_requests?: null | int @go(MaxConcurrentRequests,*int) + + // DisableSecretCreation skips related secret creation for vmuser + disable_secret_creation?: bool @go(DisableSecretCreation) +} + +// TargetRef describes target for user traffic forwarding. +// one of target types can be chosen: +// crd or static per targetRef. +// user can define multiple targetRefs with different ref Types. +#TargetRef: { + // CRD describes exist operator's CRD object, + // operator generates access url based on CRD params. + // +optional + crd?: null | #CRDRef @go(CRD,*CRDRef) + + // Static - user defined url for traffic forward, + // for instance http://vmsingle:8429 + // +optional + static?: null | #StaticRef @go(Static,*StaticRef) + + // Paths - matched path to route. + // +optional + paths?: [...string] @go(Paths,[]string) + + // QueryParams []string `json:"queryParams,omitempty"` + // TargetPathSuffix allows to add some suffix to the target path + // It allows to hide tenant configuration from user with crd as ref. + // it also may contain any url encoded params. + // +optional + target_path_suffix?: string @go(TargetPathSuffix) + + // Headers represent additional http headers, that vmauth uses + // in form of ["header_key: header_value"] + // multiple values for header key: + // ["header_key: value1,value2"] + // it's available since 1.68.0 version of vmauth + // +optional + headers?: [...string] @go(Headers,[]string) + + // ResponseHeaders represent additional http headers, that vmauth adds for request response + // in form of ["header_key: header_value"] + // multiple values for header key: + // ["header_key: value1,value2"] + // it's available since 1.93.0 version of vmauth + // +optional + response_headers?: [...string] @go(ResponseHeaders,[]string) + + // RetryStatusCodes defines http status codes in numeric format for request retries + // Can be defined per target or at VMUser.spec level + // e.g. [429,503] + // +optional + retry_status_codes?: [...int] @go(RetryStatusCodes,[]int) +} + +// VMUserIPFilters defines filters for IP addresses +// supported only with enterprise version of vmauth +// https://docs.victoriametrics.com/vmauth.html#ip-filters +#VMUserIPFilters: { + deny_list?: [...string] @go(DenyList,[]string) + allow_list?: [...string] @go(AllowList,[]string) +} + +// CRDRef describe CRD target reference. +#CRDRef: { + // Kind one of: + // VMAgent VMAlert VMCluster VMSingle or VMAlertManager + kind: string @go(Kind) + + // Name target CRD object name + name: string @go(Name) + + // Namespace target CRD object namespace. + namespace: string @go(Namespace) +} + +// StaticRef - user-defined routing host address. +#StaticRef: { + // URL http url for given staticRef. + url?: string @go(URL) + + // URLs allows setting multiple urls for load-balancing at vmauth-side. + // +optional + urls?: [...string] @go(URLs,[]string) +} + +// VMUserStatus defines the observed state of VMUser +#VMUserStatus: { +} + +// VMUser is the Schema for the vmusers API +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +genclient +#VMUser: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec?: #VMUserSpec @go(Spec) + status?: #VMUserStatus @go(Status) +} + +// VMUserList contains a list of VMUser +#VMUserList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#VMUser] @go(Items,[]VMUser) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/BUILD.bazel b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/BUILD.bazel new file mode 100644 index 000000000..bf4b7ebba --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/BUILD.bazel @@ -0,0 +1,45 @@ +load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library") + +cue_library( + name = "cue_v1beta1_library", + srcs = [ + "clusterexternalsecret_types_go_gen.cue", + "doc_go_gen.cue", + "externalsecret_types_go_gen.cue", + "externalsecret_validator_go_gen.cue", + "generic_store_go_gen.cue", + "provider_go_gen.cue", + "pushsecret_interfaces_go_gen.cue", + "register_go_gen.cue", + "secretsstore_delinea_types_go_gen.cue", + "secretstore_akeyless_types_go_gen.cue", + "secretstore_alibaba_types_go_gen.cue", + "secretstore_aws_types_go_gen.cue", + "secretstore_azurekv_types_go_gen.cue", + "secretstore_conjur_types_go_gen.cue", + "secretstore_doppler_types_go_gen.cue", + "secretstore_fake_types_go_gen.cue", + "secretstore_gcpsm_types_go_gen.cue", + "secretstore_gitlab_types_go_gen.cue", + "secretstore_ibm_types_go_gen.cue", + "secretstore_keepersecurity_types_go_gen.cue", + "secretstore_kubernetes_types_go_gen.cue", + "secretstore_onepassword_types_go_gen.cue", + "secretstore_oracle_types_go_gen.cue", + "secretstore_scaleway_types_go_gen.cue", + "secretstore_senhasegura_types_go_gen.cue", + "secretstore_types_go_gen.cue", + "secretstore_validator_go_gen.cue", + "secretstore_vault_types_go_gen.cue", + "secretstore_webhook_types_go_gen.cue", + "secretstore_yandexcertificatemanager_types_go_gen.cue", + "secretstore_yandexlockbox_types_go_gen.cue", + ], + importpath = "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1", + visibility = ["//visibility:public"], + deps = [ + "//cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1:cue_v1_library", + ], +) diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/clusterexternalsecret_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/clusterexternalsecret_types_go_gen.cue new file mode 100644 index 000000000..00f44cd67 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/clusterexternalsecret_types_go_gen.cue @@ -0,0 +1,108 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" +) + +// ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret. +#ClusterExternalSecretSpec: { + // The spec for the ExternalSecrets to be created + externalSecretSpec: #ExternalSecretSpec @go(ExternalSecretSpec) + + // The name of the external secrets to be created defaults to the name of the ClusterExternalSecret + // +optional + externalSecretName: string @go(ExternalSecretName) + + // The metadata of the external secrets to be created + // +optional + externalSecretMetadata: #ExternalSecretMetadata @go(ExternalSecretMetadata) + + // The labels to select by to find the Namespaces to create the ExternalSecrets in. + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) + + // Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + // +optional + namespaces?: [...string] @go(Namespaces,[]string) + + // The time in which the controller should reconcile its objects and recheck namespaces for labels. + refreshTime?: null | metav1.#Duration @go(RefreshInterval,*metav1.Duration) +} + +// ExternalSecretMetadata defines metadata fields for the ExternalSecret generated by the ClusterExternalSecret. +#ExternalSecretMetadata: { + // +optional + annotations?: {[string]: string} @go(Annotations,map[string]string) + + // +optional + labels?: {[string]: string} @go(Labels,map[string]string) +} + +#ClusterExternalSecretConditionType: string // #enumClusterExternalSecretConditionType + +#enumClusterExternalSecretConditionType: + #ClusterExternalSecretReady + +#ClusterExternalSecretReady: #ClusterExternalSecretConditionType & "Ready" + +#ClusterExternalSecretStatusCondition: { + type: #ClusterExternalSecretConditionType @go(Type) + status: corev1.#ConditionStatus @go(Status) + + // +optional + message?: string @go(Message) +} + +// ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason. +#ClusterExternalSecretNamespaceFailure: { + // Namespace is the namespace that failed when trying to apply an ExternalSecret + namespace: string @go(Namespace) + + // Reason is why the ExternalSecret failed to apply to the namespace + // +optional + reason?: string @go(Reason) +} + +// ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. +#ClusterExternalSecretStatus: { + // ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret + externalSecretName?: string @go(ExternalSecretName) + + // Failed namespaces are the namespaces that failed to apply an ExternalSecret + // +optional + failedNamespaces?: [...#ClusterExternalSecretNamespaceFailure] @go(FailedNamespaces,[]ClusterExternalSecretNamespaceFailure) + + // ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets + // +optional + provisionedNamespaces?: [...string] @go(ProvisionedNamespaces,[]string) + + // +optional + conditions?: [...#ClusterExternalSecretStatusCondition] @go(Conditions,[]ClusterExternalSecretStatusCondition) +} + +// +kubebuilder:object:root=true +// +kubebuilder:storageversion +// +kubebuilder:resource:scope=Cluster,categories={externalsecrets},shortName=ces +// +kubebuilder:subresource:status +// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.externalSecretSpec.secretStoreRef.name` +// +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshTime` +// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status` +// ClusterExternalSecret is the Schema for the clusterexternalsecrets API. +#ClusterExternalSecret: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec?: #ClusterExternalSecretSpec @go(Spec) + status?: #ClusterExternalSecretStatus @go(Status) +} + +// ClusterExternalSecretList contains a list of ClusterExternalSecret. +#ClusterExternalSecretList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#ClusterExternalSecret] @go(Items,[]ClusterExternalSecret) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/doc_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/doc_go_gen.cue new file mode 100644 index 000000000..fcd0c6962 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/doc_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +// Package v1beta1 contains resources for external-secrets +// +kubebuilder:object:generate=true +// +groupName=external-secrets.io +// +versionName=v1beta1 +package v1beta1 diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/externalsecret_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/externalsecret_types_go_gen.cue new file mode 100644 index 000000000..41df438a3 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/externalsecret_types_go_gen.cue @@ -0,0 +1,496 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import ( + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. +#SecretStoreRef: { + // Name of the SecretStore resource + name: string @go(Name) + + // Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + // Defaults to `SecretStore` + // +optional + kind?: string @go(Kind) +} + +// ExternalSecretCreationPolicy defines rules on how to create the resulting Secret. +// +kubebuilder:validation:Enum=Owner;Orphan;Merge;None +#ExternalSecretCreationPolicy: string // #enumExternalSecretCreationPolicy + +#enumExternalSecretCreationPolicy: + #CreatePolicyOwner | + #CreatePolicyOrphan | + #CreatePolicyMerge | + #CreatePolicyNone + +// Owner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource. +#CreatePolicyOwner: #ExternalSecretCreationPolicy & "Owner" + +// Orphan creates the Secret and does not set the ownerReference. +// I.e. it will be orphaned after the deletion of the ExternalSecret. +#CreatePolicyOrphan: #ExternalSecretCreationPolicy & "Orphan" + +// Merge does not create the Secret, but merges the data fields to the Secret. +#CreatePolicyMerge: #ExternalSecretCreationPolicy & "Merge" + +// None does not create a Secret (future use with injector). +#CreatePolicyNone: #ExternalSecretCreationPolicy & "None" + +// ExternalSecretDeletionPolicy defines rules on how to delete the resulting Secret. +// +kubebuilder:validation:Enum=Delete;Merge;Retain +#ExternalSecretDeletionPolicy: string // #enumExternalSecretDeletionPolicy + +#enumExternalSecretDeletionPolicy: + #DeletionPolicyDelete | + #DeletionPolicyMerge | + #DeletionPolicyRetain + +// Delete deletes the secret if all provider secrets are deleted. +// If a secret gets deleted on the provider side and is not accessible +// anymore this is not considered an error and the ExternalSecret +// does not go into SecretSyncedError status. +#DeletionPolicyDelete: #ExternalSecretDeletionPolicy & "Delete" + +// Merge removes keys in the secret, but not the secret itself. +// If a secret gets deleted on the provider side and is not accessible +// anymore this is not considered an error and the ExternalSecret +// does not go into SecretSyncedError status. +#DeletionPolicyMerge: #ExternalSecretDeletionPolicy & "Merge" + +// Retain will retain the secret if all provider secrets have been deleted. +// If a provider secret does not exist the ExternalSecret gets into the +// SecretSyncedError status. +#DeletionPolicyRetain: #ExternalSecretDeletionPolicy & "Retain" + +// ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. +#ExternalSecretTemplateMetadata: { + // +optional + annotations?: {[string]: string} @go(Annotations,map[string]string) + + // +optional + labels?: {[string]: string} @go(Labels,map[string]string) +} + +// ExternalSecretTemplate defines a blueprint for the created Secret resource. +// we can not use native corev1.Secret, it will have empty ObjectMeta values: https://github.com/kubernetes-sigs/controller-tools/issues/448 +#ExternalSecretTemplate: { + // +optional + type?: corev1.#SecretType @go(Type) + + // EngineVersion specifies the template engine version + // that should be used to compile/execute the + // template specified in .data and .templateFrom[]. + // +kubebuilder:default="v2" + engineVersion?: #TemplateEngineVersion @go(EngineVersion) + + // +optional + metadata?: #ExternalSecretTemplateMetadata @go(Metadata) + + // +kubebuilder:default="Replace" + mergePolicy?: #TemplateMergePolicy @go(MergePolicy) + + // +optional + data?: {[string]: string} @go(Data,map[string]string) + + // +optional + templateFrom?: [...#TemplateFrom] @go(TemplateFrom,[]TemplateFrom) +} + +// +kubebuilder:validation:Enum=Replace;Merge +#TemplateMergePolicy: string // #enumTemplateMergePolicy + +#enumTemplateMergePolicy: + #MergePolicyReplace | + #MergePolicyMerge + +#MergePolicyReplace: #TemplateMergePolicy & "Replace" +#MergePolicyMerge: #TemplateMergePolicy & "Merge" + +// +kubebuilder:validation:Enum=v1;v2 +#TemplateEngineVersion: string // #enumTemplateEngineVersion + +#enumTemplateEngineVersion: + #TemplateEngineV1 | + #TemplateEngineV2 + +#TemplateEngineV1: #TemplateEngineVersion & "v1" +#TemplateEngineV2: #TemplateEngineVersion & "v2" + +#TemplateFrom: { + configMap?: null | #TemplateRef @go(ConfigMap,*TemplateRef) + secret?: null | #TemplateRef @go(Secret,*TemplateRef) + + // +optional + // +optional + // +kubebuilder:default="Data" + target?: #TemplateTarget @go(Target) + + // +optional + literal?: null | string @go(Literal,*string) +} + +// +kubebuilder:validation:Enum=Values;KeysAndValues +#TemplateScope: string // #enumTemplateScope + +#enumTemplateScope: + #TemplateScopeValues | + #TemplateScopeKeysAndValues + +#TemplateScopeValues: #TemplateScope & "Values" +#TemplateScopeKeysAndValues: #TemplateScope & "KeysAndValues" + +// +kubebuilder:validation:Enum=Data;Annotations;Labels +#TemplateTarget: string // #enumTemplateTarget + +#enumTemplateTarget: + #TemplateTargetData | + #TemplateTargetAnnotations | + #TemplateTargetLabels + +#TemplateTargetData: #TemplateTarget & "Data" +#TemplateTargetAnnotations: #TemplateTarget & "Annotations" +#TemplateTargetLabels: #TemplateTarget & "Labels" + +#TemplateRef: { + name: string @go(Name) + items: [...#TemplateRefItem] @go(Items,[]TemplateRefItem) +} + +#TemplateRefItem: { + key: string @go(Key) + + // +kubebuilder:default="Values" + templateAs?: #TemplateScope @go(TemplateAs) +} + +// ExternalSecretTarget defines the Kubernetes Secret to be created +// There can be only one target per ExternalSecret. +#ExternalSecretTarget: { + // Name defines the name of the Secret resource to be managed + // This field is immutable + // Defaults to the .metadata.name of the ExternalSecret resource + // +optional + name?: string @go(Name) + + // CreationPolicy defines rules on how to create the resulting Secret + // Defaults to 'Owner' + // +optional + // +kubebuilder:default="Owner" + creationPolicy?: #ExternalSecretCreationPolicy @go(CreationPolicy) + + // DeletionPolicy defines rules on how to delete the resulting Secret + // Defaults to 'Retain' + // +optional + // +kubebuilder:default="Retain" + deletionPolicy?: #ExternalSecretDeletionPolicy @go(DeletionPolicy) + + // Template defines a blueprint for the created Secret resource. + // +optional + template?: null | #ExternalSecretTemplate @go(Template,*ExternalSecretTemplate) + + // Immutable defines if the final secret will be immutable + // +optional + immutable?: bool @go(Immutable) +} + +// ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. +#ExternalSecretData: { + // SecretKey defines the key in which the controller stores + // the value. This is the key in the Kind=Secret + secretKey: string @go(SecretKey) + + // RemoteRef points to the remote secret and defines + // which secret (version/property/..) to fetch. + remoteRef: #ExternalSecretDataRemoteRef @go(RemoteRef) + + // SourceRef allows you to override the source + // from which the value will pulled from. + sourceRef?: null | #SourceRef @go(SourceRef,*SourceRef) +} + +// ExternalSecretDataRemoteRef defines Provider data location. +#ExternalSecretDataRemoteRef: { + // Key is the key used in the Provider, mandatory + key: string @go(Key) + + // +optional + // Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + // +kubebuilder:default="None" + metadataPolicy?: #ExternalSecretMetadataPolicy @go(MetadataPolicy) + + // +optional + // Used to select a specific property of the Provider value (if a map), if supported + property?: string @go(Property) + + // +optional + // Used to select a specific version of the Provider value, if supported + version?: string @go(Version) + + // +optional + // Used to define a conversion Strategy + // +kubebuilder:default="Default" + conversionStrategy?: #ExternalSecretConversionStrategy @go(ConversionStrategy) + + // +optional + // Used to define a decoding Strategy + // +kubebuilder:default="None" + decodingStrategy?: #ExternalSecretDecodingStrategy @go(DecodingStrategy) +} + +// +kubebuilder:validation:Enum=None;Fetch +#ExternalSecretMetadataPolicy: string // #enumExternalSecretMetadataPolicy + +#enumExternalSecretMetadataPolicy: + #ExternalSecretMetadataPolicyNone | + #ExternalSecretMetadataPolicyFetch + +#ExternalSecretMetadataPolicyNone: #ExternalSecretMetadataPolicy & "None" +#ExternalSecretMetadataPolicyFetch: #ExternalSecretMetadataPolicy & "Fetch" + +// +kubebuilder:validation:Enum=Default;Unicode +#ExternalSecretConversionStrategy: string // #enumExternalSecretConversionStrategy + +#enumExternalSecretConversionStrategy: + #ExternalSecretConversionDefault | + #ExternalSecretConversionUnicode + +#ExternalSecretConversionDefault: #ExternalSecretConversionStrategy & "Default" +#ExternalSecretConversionUnicode: #ExternalSecretConversionStrategy & "Unicode" + +// +kubebuilder:validation:Enum=Auto;Base64;Base64URL;None +#ExternalSecretDecodingStrategy: string // #enumExternalSecretDecodingStrategy + +#enumExternalSecretDecodingStrategy: + #ExternalSecretDecodeAuto | + #ExternalSecretDecodeBase64 | + #ExternalSecretDecodeBase64URL | + #ExternalSecretDecodeNone + +#ExternalSecretDecodeAuto: #ExternalSecretDecodingStrategy & "Auto" +#ExternalSecretDecodeBase64: #ExternalSecretDecodingStrategy & "Base64" +#ExternalSecretDecodeBase64URL: #ExternalSecretDecodingStrategy & "Base64URL" +#ExternalSecretDecodeNone: #ExternalSecretDecodingStrategy & "None" + +#ExternalSecretDataFromRemoteRef: { + // Used to extract multiple key/value pairs from one secret + // Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. + // +optional + extract?: null | #ExternalSecretDataRemoteRef @go(Extract,*ExternalSecretDataRemoteRef) + + // Used to find secrets based on tags or regular expressions + // Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. + // +optional + find?: null | #ExternalSecretFind @go(Find,*ExternalSecretFind) + + // Used to rewrite secret Keys after getting them from the secret Provider + // Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + // +optional + rewrite?: [...#ExternalSecretRewrite] @go(Rewrite,[]ExternalSecretRewrite) + + // SourceRef points to a store or generator + // which contains secret values ready to use. + // Use this in combination with Extract or Find pull values out of + // a specific SecretStore. + // When sourceRef points to a generator Extract or Find is not supported. + // The generator returns a static map of values + sourceRef?: null | #SourceRef @go(SourceRef,*SourceRef) +} + +#ExternalSecretRewrite: { + // Used to rewrite with regular expressions. + // The resulting key will be the output of a regexp.ReplaceAll operation. + // +optional + regexp?: null | #ExternalSecretRewriteRegexp @go(Regexp,*ExternalSecretRewriteRegexp) + + // Used to apply string transformation on the secrets. + // The resulting key will be the output of the template applied by the operation. + // +optional + transform?: null | #ExtermalSecretRewriteTransform @go(Transform,*ExtermalSecretRewriteTransform) +} + +#ExternalSecretRewriteRegexp: { + // Used to define the regular expression of a re.Compiler. + source: string @go(Source) + + // Used to define the target pattern of a ReplaceAll operation. + target: string @go(Target) +} + +#ExtermalSecretRewriteTransform: { + // Used to define the template to apply on the secret name. + // `.value ` will specify the secret name in the template. + template: string @go(Template) +} + +#ExternalSecretFind: { + // A root path to start the find operations. + // +optional + path?: null | string @go(Path,*string) + + // Finds secrets based on the name. + // +optional + name?: null | #FindName @go(Name,*FindName) + + // Find secrets based on tags. + // +optional + tags?: {[string]: string} @go(Tags,map[string]string) + + // +optional + // Used to define a conversion Strategy + // +kubebuilder:default="Default" + conversionStrategy?: #ExternalSecretConversionStrategy @go(ConversionStrategy) + + // +optional + // Used to define a decoding Strategy + // +kubebuilder:default="None" + decodingStrategy?: #ExternalSecretDecodingStrategy @go(DecodingStrategy) +} + +#FindName: { + // Finds secrets base + // +optional + regexp?: string @go(RegExp) +} + +// ExternalSecretSpec defines the desired state of ExternalSecret. +#ExternalSecretSpec: { + // +optional + secretStoreRef: #SecretStoreRef @go(SecretStoreRef) + + // +kubebuilder:default={creationPolicy:Owner,deletionPolicy:Retain} + // +optional + target?: #ExternalSecretTarget @go(Target) + + // RefreshInterval is the amount of time before the values are read again from the SecretStore provider + // Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + // May be set to zero to fetch and create it once. Defaults to 1h. + // +kubebuilder:default="1h" + refreshInterval?: null | metav1.#Duration @go(RefreshInterval,*metav1.Duration) + + // Data defines the connection between the Kubernetes Secret keys and the Provider data + // +optional + data?: [...#ExternalSecretData] @go(Data,[]ExternalSecretData) + + // DataFrom is used to fetch all properties from a specific Provider data + // If multiple entries are specified, the Secret keys are merged in the specified order + // +optional + dataFrom?: [...#ExternalSecretDataFromRemoteRef] @go(DataFrom,[]ExternalSecretDataFromRemoteRef) +} + +// SourceRef allows you to override the source +// from which the secret will be pulled from. +// You can define at maximum one property. +// +kubebuilder:validation:MaxProperties=1 +#SourceRef: { + // +optional + storeRef?: null | #SecretStoreRef @go(SecretStoreRef,*SecretStoreRef) + + // GeneratorRef points to a generator custom resource in + // +optional + generatorRef?: null | #GeneratorRef @go(GeneratorRef,*GeneratorRef) +} + +// GeneratorRef points to a generator custom resource. +#GeneratorRef: { + // Specify the apiVersion of the generator resource + // +kubebuilder:default="generators.external-secrets.io/v1alpha1" + apiVersion?: string @go(APIVersion) + + // Specify the Kind of the resource, e.g. Password, ACRAccessToken etc. + kind: string @go(Kind) + + // Specify the name of the generator resource + name: string @go(Name) +} + +#ExternalSecretConditionType: string // #enumExternalSecretConditionType + +#enumExternalSecretConditionType: + #ExternalSecretReady | + #ExternalSecretDeleted + +#ExternalSecretReady: #ExternalSecretConditionType & "Ready" +#ExternalSecretDeleted: #ExternalSecretConditionType & "Deleted" + +#ExternalSecretStatusCondition: { + type: #ExternalSecretConditionType @go(Type) + status: corev1.#ConditionStatus @go(Status) + + // +optional + reason?: string @go(Reason) + + // +optional + message?: string @go(Message) + + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) +} + +// ConditionReasonSecretSynced indicates that the secrets was synced. +#ConditionReasonSecretSynced: "SecretSynced" + +// ConditionReasonSecretSyncedError indicates that there was an error syncing the secret. +#ConditionReasonSecretSyncedError: "SecretSyncedError" + +// ConditionReasonSecretDeleted indicates that the secret has been deleted. +#ConditionReasonSecretDeleted: "SecretDeleted" +#ReasonInvalidStoreRef: "InvalidStoreRef" +#ReasonUnavailableStore: "UnavailableStore" +#ReasonProviderClientConfig: "InvalidProviderClientConfig" +#ReasonUpdateFailed: "UpdateFailed" +#ReasonDeprecated: "ParameterDeprecated" +#ReasonUpdated: "Updated" +#ReasonDeleted: "Deleted" + +#ExternalSecretStatus: { + // +nullable + // refreshTime is the time and date the external secret was fetched and + // the target secret updated + refreshTime?: metav1.#Time @go(RefreshTime) + + // SyncedResourceVersion keeps track of the last synced version + syncedResourceVersion?: string @go(SyncedResourceVersion) + + // +optional + conditions?: [...#ExternalSecretStatusCondition] @go(Conditions,[]ExternalSecretStatusCondition) + + // Binding represents a servicebinding.io Provisioned Service reference to the secret + binding?: corev1.#LocalObjectReference @go(Binding) +} + +// +kubebuilder:object:root=true +// +kubebuilder:storageversion +// ExternalSecret is the Schema for the external-secrets API. +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Namespaced,categories={externalsecrets},shortName=es +// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.secretStoreRef.name` +// +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshInterval` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason` +// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status` +#ExternalSecret: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec?: #ExternalSecretSpec @go(Spec) + status?: #ExternalSecretStatus @go(Status) +} + +// AnnotationDataHash is used to ensure consistency. +#AnnotationDataHash: "reconcile.external-secrets.io/data-hash" + +// LabelOwner points to the owning ExternalSecret resource +// and is used to manage the lifecycle of a Secret +#LabelOwner: "reconcile.external-secrets.io/created-by" + +// ExternalSecretList contains a list of ExternalSecret resources. +#ExternalSecretList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#ExternalSecret] @go(Items,[]ExternalSecret) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/externalsecret_validator_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/externalsecret_validator_go_gen.cue new file mode 100644 index 000000000..d09de0460 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/externalsecret_validator_go_gen.cue @@ -0,0 +1,20 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +package v1beta1 + +#ExternalSecretValidator: { +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/generic_store_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/generic_store_go_gen.cue new file mode 100644 index 000000000..6e6364c7c --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/generic_store_go_gen.cue @@ -0,0 +1,9 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +// GenericStore is a common interface for interacting with ClusterSecretStore +// or a namespaced SecretStore. +#GenericStore: _ diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/provider_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/provider_go_gen.cue new file mode 100644 index 000000000..742d51425 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/provider_go_gen.cue @@ -0,0 +1,40 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +// Ready indicates that the client is configured correctly +// and can be used. +#ValidationResultReady: #ValidationResult & 0 + +// Unknown indicates that the client can be used +// but information is missing and it can not be validated. +#ValidationResultUnknown: #ValidationResult & 1 + +// Error indicates that there is a misconfiguration. +#ValidationResultError: #ValidationResult & 2 + +#ValidationResult: uint8 // #enumValidationResult + +#enumValidationResult: + #ValidationResultReady | + #ValidationResultUnknown | + #ValidationResultError + +#values_ValidationResult: { + ValidationResultReady: #ValidationResultReady + ValidationResultUnknown: #ValidationResultUnknown + ValidationResultError: #ValidationResultError +} + +// Provider is a common interface for interacting with secret backends. +#Provider: _ + +// SecretsClient provides access to secrets. +#SecretsClient: _ + +// NoSecretError shall be returned when a GetSecret can not find the +// desired secret. This is used for deletionPolicy. +#NoSecretError: { +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/pushsecret_interfaces_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/pushsecret_interfaces_go_gen.cue new file mode 100644 index 000000000..5bc9d30fb --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/pushsecret_interfaces_go_gen.cue @@ -0,0 +1,20 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +package v1beta1 + +// This interface is to allow using v1alpha1 content in Provider registered in v1beta1. +#PushRemoteRef: _ diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/register_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/register_go_gen.cue new file mode 100644 index 000000000..becbeba75 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/register_go_gen.cue @@ -0,0 +1,8 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +#Group: "external-secrets.io" +#Version: "v1beta1" diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretsstore_delinea_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretsstore_delinea_types_go_gen.cue new file mode 100644 index 000000000..ad0dc053b --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretsstore_delinea_types_go_gen.cue @@ -0,0 +1,39 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +#DelineaProviderSecretRef: { + // Value can be specified directly to set a value without using a secret. + // +optional + value?: string @go(Value) + + // SecretRef references a key in a secret that will be used as value. + // +optional + secretRef?: null | esmeta.#SecretKeySelector @go(SecretRef,*esmeta.SecretKeySelector) +} + +// See https://github.com/DelineaXPM/dsv-sdk-go/blob/main/vault/vault.go. +#DelineaProvider: { + // ClientID is the non-secret part of the credential. + clientId?: null | #DelineaProviderSecretRef @go(ClientID,*DelineaProviderSecretRef) + + // ClientSecret is the secret part of the credential. + clientSecret?: null | #DelineaProviderSecretRef @go(ClientSecret,*DelineaProviderSecretRef) + + // Tenant is the chosen hostname / site name. + tenant: string @go(Tenant) + + // URLTemplate + // If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + // +optional + urlTemplate?: string @go(URLTemplate) + + // TLD is based on the server location that was chosen during provisioning. + // If unset, defaults to "com". + // +optional + tld?: string @go(TLD) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_akeyless_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_akeyless_types_go_gen.cue new file mode 100644 index 000000000..a79c3eb95 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_akeyless_types_go_gen.cue @@ -0,0 +1,70 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +// AkeylessProvider Configures an store to sync secrets using Akeyless KV. +#AkeylessProvider: { + // Akeyless GW API Url from which the secrets to be fetched from. + akeylessGWApiURL?: null | string @go(AkeylessGWApiURL,*string) + + // Auth configures how the operator authenticates with Akeyless. + authSecretRef?: null | #AkeylessAuth @go(Auth,*AkeylessAuth) + + // PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + // if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + // are used to validate the TLS connection. + // +optional + caBundle?: bytes @go(CABundle,[]byte) + + // The provider for the CA bundle to use to validate Akeyless Gateway certificate. + // +optional + caProvider?: null | #CAProvider @go(CAProvider,*CAProvider) +} + +#AkeylessAuth: { + // Reference to a Secret that contains the details + // to authenticate with Akeyless. + // +optional + secretRef: #AkeylessAuthSecretRef @go(SecretRef) + + // Kubernetes authenticates with Akeyless by passing the ServiceAccount + // token stored in the named Secret resource. + // +optional + kubernetesAuth?: null | #AkeylessKubernetesAuth @go(KubernetesAuth,*AkeylessKubernetesAuth) +} + +// AkeylessAuthSecretRef +// AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME. +#AkeylessAuthSecretRef: { + // The SecretAccessID is used for authentication + accessID?: esmeta.#SecretKeySelector @go(AccessID) + accessType?: esmeta.#SecretKeySelector @go(AccessType) + accessTypeParam?: esmeta.#SecretKeySelector @go(AccessTypeParam) +} + +// Authenticate with Kubernetes ServiceAccount token stored. +#AkeylessKubernetesAuth: { + // the Akeyless Kubernetes auth-method access-id + accessID: string @go(AccessID) + + // Kubernetes-auth configuration name in Akeyless-Gateway + k8sConfName: string @go(K8sConfName) + + // Optional service account field containing the name of a kubernetes ServiceAccount. + // If the service account is specified, the service account secret token JWT will be used + // for authenticating with Akeyless. If the service account selector is not supplied, + // the secretRef will be used instead. + // +optional + serviceAccountRef?: null | esmeta.#ServiceAccountSelector @go(ServiceAccountRef,*esmeta.ServiceAccountSelector) + + // Optional secret field containing a Kubernetes ServiceAccount JWT used + // for authenticating with Akeyless. If a name is specified without a key, + // `token` is the default. If one is not specified, the one bound to + // the controller will be used. + // +optional + secretRef?: null | esmeta.#SecretKeySelector @go(SecretRef,*esmeta.SecretKeySelector) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_alibaba_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_alibaba_types_go_gen.cue new file mode 100644 index 000000000..667f9626d --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_alibaba_types_go_gen.cue @@ -0,0 +1,41 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +// AlibabaAuth contains a secretRef for credentials. +#AlibabaAuth: { + // +optional + secretRef?: null | #AlibabaAuthSecretRef @go(SecretRef,*AlibabaAuthSecretRef) + + // +optional + rrsa?: null | #AlibabaRRSAAuth @go(RRSAAuth,*AlibabaRRSAAuth) +} + +// AlibabaAuthSecretRef holds secret references for Alibaba credentials. +#AlibabaAuthSecretRef: { + // The AccessKeyID is used for authentication + accessKeyIDSecretRef: esmeta.#SecretKeySelector @go(AccessKeyID) + + // The AccessKeySecret is used for authentication + accessKeySecretSecretRef: esmeta.#SecretKeySelector @go(AccessKeySecret) +} + +// Authenticate against Alibaba using RRSA. +#AlibabaRRSAAuth: { + oidcProviderArn: string @go(OIDCProviderARN) + oidcTokenFilePath: string @go(OIDCTokenFilePath) + roleArn: string @go(RoleARN) + sessionName: string @go(SessionName) +} + +// AlibabaProvider configures a store to sync secrets using the Alibaba Secret Manager provider. +#AlibabaProvider: { + auth: #AlibabaAuth @go(Auth) + + // Alibaba Region to be used for the provider + regionID: string @go(RegionID) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_aws_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_aws_types_go_gen.cue new file mode 100644 index 000000000..bdcde55c1 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_aws_types_go_gen.cue @@ -0,0 +1,94 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +// AWSAuth tells the controller how to do authentication with aws. +// Only one of secretRef or jwt can be specified. +// if none is specified the controller will load credentials using the aws sdk defaults. +#AWSAuth: { + // +optional + secretRef?: null | #AWSAuthSecretRef @go(SecretRef,*AWSAuthSecretRef) + + // +optional + jwt?: null | #AWSJWTAuth @go(JWTAuth,*AWSJWTAuth) +} + +// AWSAuthSecretRef holds secret references for AWS credentials +// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. +#AWSAuthSecretRef: { + // The AccessKeyID is used for authentication + accessKeyIDSecretRef?: esmeta.#SecretKeySelector @go(AccessKeyID) + + // The SecretAccessKey is used for authentication + secretAccessKeySecretRef?: esmeta.#SecretKeySelector @go(SecretAccessKey) + + // The SessionToken used for authentication + // This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + // see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html + // +Optional + sessionTokenSecretRef?: null | esmeta.#SecretKeySelector @go(SessionToken,*esmeta.SecretKeySelector) +} + +// Authenticate against AWS using service account tokens. +#AWSJWTAuth: { + serviceAccountRef?: null | esmeta.#ServiceAccountSelector @go(ServiceAccountRef,*esmeta.ServiceAccountSelector) +} + +// AWSServiceType is a enum that defines the service/API that is used to fetch the secrets. +// +kubebuilder:validation:Enum=SecretsManager;ParameterStore +#AWSServiceType: string // #enumAWSServiceType + +#enumAWSServiceType: + #AWSServiceSecretsManager | + #AWSServiceParameterStore + +// AWSServiceSecretsManager is the AWS SecretsManager. +// see: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html +#AWSServiceSecretsManager: #AWSServiceType & "SecretsManager" + +// AWSServiceParameterStore is the AWS SystemsManager ParameterStore. +// see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html +#AWSServiceParameterStore: #AWSServiceType & "ParameterStore" + +#Tag: { + key: string @go(Key) + value: string @go(Value) +} + +// AWSProvider configures a store to sync secrets with AWS. +#AWSProvider: { + // Service defines which service should be used to fetch the secrets + service: #AWSServiceType @go(Service) + + // Auth defines the information necessary to authenticate against AWS + // if not set aws sdk will infer credentials from your environment + // see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + // +optional + auth: #AWSAuth @go(Auth) + + // Role is a Role ARN which the SecretManager provider will assume + // +optional + role?: string @go(Role) + + // AWS Region to be used for the provider + region: string @go(Region) + + // AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + // +optional + additionalRoles?: [...string] @go(AdditionalRoles,[]string) + + // AWS External ID set on assumed IAM roles + externalID?: string @go(ExternalID) + + // AWS STS assume role session tags + // +optional + sessionTags?: [...null | #Tag] @go(SessionTags,[]*Tag) + + // AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + // +optional + transitiveTagKeys?: [...null | string] @go(TransitiveTagKeys,[]*string) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_azurekv_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_azurekv_types_go_gen.cue new file mode 100644 index 000000000..f82a8d125 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_azurekv_types_go_gen.cue @@ -0,0 +1,95 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +// AuthType describes how to authenticate to the Azure Keyvault +// Only one of the following auth types may be specified. +// If none of the following auth type is specified, the default one +// is ServicePrincipal. +// +kubebuilder:validation:Enum=ServicePrincipal;ManagedIdentity;WorkloadIdentity +#AzureAuthType: string // #enumAzureAuthType + +#enumAzureAuthType: + #AzureServicePrincipal | + #AzureManagedIdentity | + #AzureWorkloadIdentity + +// Using service principal to authenticate, which needs a tenantId, a clientId and a clientSecret. +#AzureServicePrincipal: #AzureAuthType & "ServicePrincipal" + +// Using Managed Identity to authenticate. Used with aad-pod-identity installed in the cluster. +#AzureManagedIdentity: #AzureAuthType & "ManagedIdentity" + +// Using Workload Identity service accounts to authenticate. +#AzureWorkloadIdentity: #AzureAuthType & "WorkloadIdentity" + +// AzureEnvironmentType specifies the Azure cloud environment endpoints to use for +// connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. +// The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 +// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud +// +kubebuilder:validation:Enum=PublicCloud;USGovernmentCloud;ChinaCloud;GermanCloud +#AzureEnvironmentType: string // #enumAzureEnvironmentType + +#enumAzureEnvironmentType: + #AzureEnvironmentPublicCloud | + #AzureEnvironmentUSGovernmentCloud | + #AzureEnvironmentChinaCloud | + #AzureEnvironmentGermanCloud + +#AzureEnvironmentPublicCloud: #AzureEnvironmentType & "PublicCloud" +#AzureEnvironmentUSGovernmentCloud: #AzureEnvironmentType & "USGovernmentCloud" +#AzureEnvironmentChinaCloud: #AzureEnvironmentType & "ChinaCloud" +#AzureEnvironmentGermanCloud: #AzureEnvironmentType & "GermanCloud" + +// Configures an store to sync secrets using Azure KV. +#AzureKVProvider: { + // Auth type defines how to authenticate to the keyvault service. + // Valid values are: + // - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + // - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) + // +optional + // +kubebuilder:default=ServicePrincipal + authType?: null | #AzureAuthType @go(AuthType,*AzureAuthType) + + // Vault Url from which the secrets to be fetched from. + vaultUrl?: null | string @go(VaultURL,*string) + + // TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. + // +optional + tenantId?: null | string @go(TenantID,*string) + + // EnvironmentType specifies the Azure cloud environment endpoints to use for + // connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + // The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + // PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud + // +kubebuilder:default=PublicCloud + environmentType?: #AzureEnvironmentType @go(EnvironmentType) + + // Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. + // +optional + authSecretRef?: null | #AzureKVAuth @go(AuthSecretRef,*AzureKVAuth) + + // ServiceAccountRef specified the service account + // that should be used when authenticating with WorkloadIdentity. + // +optional + serviceAccountRef?: null | smmeta.#ServiceAccountSelector @go(ServiceAccountRef,*smmeta.ServiceAccountSelector) + + // If multiple Managed Identity is assigned to the pod, you can select the one to be used + // +optional + identityId?: null | string @go(IdentityID,*string) +} + +// Configuration used to authenticate with Azure. +#AzureKVAuth: { + // The Azure clientId of the service principle used for authentication. + // +optional + clientId?: null | smmeta.#SecretKeySelector @go(ClientID,*smmeta.SecretKeySelector) + + // The Azure ClientSecret of the service principle used for authentication. + // +optional + clientSecret?: null | smmeta.#SecretKeySelector @go(ClientSecret,*smmeta.SecretKeySelector) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_conjur_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_conjur_types_go_gen.cue new file mode 100644 index 000000000..a6ef60cc8 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_conjur_types_go_gen.cue @@ -0,0 +1,49 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +#ConjurProvider: { + url: string @go(URL) + + // +optional + caBundle?: string @go(CABundle) + + // +optional + caProvider?: null | #CAProvider @go(CAProvider,*CAProvider) + auth: #ConjurAuth @go(Auth) +} + +#ConjurAuth: { + // +optional + apikey?: null | #ConjurApikey @go(Apikey,*ConjurApikey) + + // +optional + jwt?: null | #ConjurJWT @go(Jwt,*ConjurJWT) +} + +#ConjurApikey: { + account: string @go(Account) + userRef?: null | esmeta.#SecretKeySelector @go(UserRef,*esmeta.SecretKeySelector) + apiKeyRef?: null | esmeta.#SecretKeySelector @go(APIKeyRef,*esmeta.SecretKeySelector) +} + +#ConjurJWT: { + account: string @go(Account) + + // The conjur authn jwt webservice id + serviceID: string @go(ServiceID) + + // Optional SecretRef that refers to a key in a Secret resource containing JWT token to + // authenticate with Conjur using the JWT authentication method. + // +optional + secretRef?: null | esmeta.#SecretKeySelector @go(SecretRef,*esmeta.SecretKeySelector) + + // Optional ServiceAccountRef specifies the Kubernetes service account for which to request + // a token for with the `TokenRequest` API. + // +optional + serviceAccountRef?: null | esmeta.#ServiceAccountSelector @go(ServiceAccountRef,*esmeta.ServiceAccountSelector) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_doppler_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_doppler_types_go_gen.cue new file mode 100644 index 000000000..0ffe5df77 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_doppler_types_go_gen.cue @@ -0,0 +1,43 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +#DopplerAuth: { + secretRef: #DopplerAuthSecretRef @go(SecretRef) +} + +#DopplerAuthSecretRef: { + // The DopplerToken is used for authentication. + // See https://docs.doppler.com/reference/api#authentication for auth token types. + // The Key attribute defaults to dopplerToken if not specified. + dopplerToken: esmeta.#SecretKeySelector @go(DopplerToken) +} + +// DopplerProvider configures a store to sync secrets using the Doppler provider. +// Project and Config are required if not using a Service Token. +#DopplerProvider: { + // Auth configures how the Operator authenticates with the Doppler API + auth?: null | #DopplerAuth @go(Auth,*DopplerAuth) + + // Doppler project (required if not using a Service Token) + // +optional + project?: string @go(Project) + + // Doppler config (required if not using a Service Token) + // +optional + config?: string @go(Config) + + // Environment variable compatible name transforms that change secret names to a different format + // +kubebuilder:validation:Enum=upper-camel;camel;lower-snake;tf-var;dotnet-env;lower-kebab + // +optional + nameTransformer?: string @go(NameTransformer) + + // Format enables the downloading of secrets as a file (string) + // +kubebuilder:validation:Enum=json;dotnet-json;env;yaml;docker + // +optional + format?: string @go(Format) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_fake_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_fake_types_go_gen.cue new file mode 100644 index 000000000..3d7e7bd89 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_fake_types_go_gen.cue @@ -0,0 +1,17 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +// FakeProvider configures a fake provider that returns static values. +#FakeProvider: { + data: [...#FakeProviderData] @go(Data,[]FakeProviderData) +} + +#FakeProviderData: { + key: string @go(Key) + value?: string @go(Value) + valueMap?: {[string]: string} @go(ValueMap,map[string]string) + version?: string @go(Version) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_gcpsm_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_gcpsm_types_go_gen.cue new file mode 100644 index 000000000..efea47f20 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_gcpsm_types_go_gen.cue @@ -0,0 +1,38 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +#GCPSMAuth: { + // +optional + secretRef?: null | #GCPSMAuthSecretRef @go(SecretRef,*GCPSMAuthSecretRef) + + // +optional + workloadIdentity?: null | #GCPWorkloadIdentity @go(WorkloadIdentity,*GCPWorkloadIdentity) +} + +#GCPSMAuthSecretRef: { + // The SecretAccessKey is used for authentication + // +optional + secretAccessKeySecretRef?: esmeta.#SecretKeySelector @go(SecretAccessKey) +} + +#GCPWorkloadIdentity: { + serviceAccountRef: esmeta.#ServiceAccountSelector @go(ServiceAccountRef) + clusterLocation: string @go(ClusterLocation) + clusterName: string @go(ClusterName) + clusterProjectID?: string @go(ClusterProjectID) +} + +// GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider. +#GCPSMProvider: { + // Auth defines the information necessary to authenticate against GCP + // +optional + auth?: #GCPSMAuth @go(Auth) + + // ProjectID project where secret is located + projectID?: string @go(ProjectID) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_gitlab_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_gitlab_types_go_gen.cue new file mode 100644 index 000000000..6bd952caa --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_gitlab_types_go_gen.cue @@ -0,0 +1,35 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +// Configures a store to sync secrets with a GitLab instance. +#GitlabProvider: { + // URL configures the GitLab instance URL. Defaults to https://gitlab.com/. + url?: string @go(URL) + + // Auth configures how secret-manager authenticates with a GitLab instance. + auth: #GitlabAuth @go(Auth) + + // ProjectID specifies a project where secrets are located. + projectID?: string @go(ProjectID) + + // InheritFromGroups specifies whether parent groups should be discovered and checked for secrets. + inheritFromGroups?: bool @go(InheritFromGroups) + + // GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables. + groupIDs?: [...string] @go(GroupIDs,[]string) + + // Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments) + environment?: string @go(Environment) +} + +#GitlabAuth: SecretRef: #GitlabSecretRef + +#GitlabSecretRef: { + // AccessToken is used for authentication. + accessToken?: esmeta.#SecretKeySelector @go(AccessToken) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_ibm_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_ibm_types_go_gen.cue new file mode 100644 index 000000000..5b8c2f21f --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_ibm_types_go_gen.cue @@ -0,0 +1,39 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +// Configures an store to sync secrets using a IBM Cloud Secrets Manager +// backend. +#IBMProvider: { + // Auth configures how secret-manager authenticates with the IBM secrets manager. + auth: #IBMAuth @go(Auth) + + // ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance + serviceUrl?: null | string @go(ServiceURL,*string) +} + +// +kubebuilder:validation:MinProperties=1 +// +kubebuilder:validation:MaxProperties=1 +#IBMAuth: { + secretRef?: null | #IBMAuthSecretRef @go(SecretRef,*IBMAuthSecretRef) + containerAuth?: null | #IBMAuthContainerAuth @go(ContainerAuth,*IBMAuthContainerAuth) +} + +#IBMAuthSecretRef: { + // The SecretAccessKey is used for authentication + secretApiKeySecretRef?: esmeta.#SecretKeySelector @go(SecretAPIKey) +} + +// IBM Container-based auth with IAM Trusted Profile. +#IBMAuthContainerAuth: { + // the IBM Trusted Profile + profile: string @go(Profile) + + // Location the token is mounted on the pod + tokenLocation?: string @go(TokenLocation) + iamEndpoint?: string @go(IAMEndpoint) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_keepersecurity_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_keepersecurity_types_go_gen.cue new file mode 100644 index 000000000..45230a4e2 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_keepersecurity_types_go_gen.cue @@ -0,0 +1,13 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +// KeeperSecurityProvider Configures a store to sync secrets using Keeper Security. +#KeeperSecurityProvider: { + authRef: smmeta.#SecretKeySelector @go(Auth) + folderID: string @go(FolderID) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_kubernetes_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_kubernetes_types_go_gen.cue new file mode 100644 index 000000000..6a622f638 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_kubernetes_types_go_gen.cue @@ -0,0 +1,61 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +#KubernetesServer: { + // configures the Kubernetes server Address. + // +kubebuilder:default=kubernetes.default + // +optional + url?: string @go(URL) + + // CABundle is a base64-encoded CA certificate + // +optional + caBundle?: bytes @go(CABundle,[]byte) + + // see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider + // +optional + caProvider?: null | #CAProvider @go(CAProvider,*CAProvider) +} + +// Configures a store to sync secrets with a Kubernetes instance. +#KubernetesProvider: { + // configures the Kubernetes server Address. + server?: #KubernetesServer @go(Server) + + // Auth configures how secret-manager authenticates with a Kubernetes instance. + auth: #KubernetesAuth @go(Auth) + + // Remote namespace to fetch the secrets from + // +kubebuilder:default= default + // +optional + remoteNamespace: string @go(RemoteNamespace) +} + +// +kubebuilder:validation:MinProperties=1 +// +kubebuilder:validation:MaxProperties=1 +#KubernetesAuth: { + // has both clientCert and clientKey as secretKeySelector + // +optional + cert?: null | #CertAuth @go(Cert,*CertAuth) + + // use static token to authenticate with + // +optional + token?: null | #TokenAuth @go(Token,*TokenAuth) + + // points to a service account that should be used for authentication + // +optional + serviceAccount?: null | esmeta.#ServiceAccountSelector @go(ServiceAccount,*esmeta.ServiceAccountSelector) +} + +#CertAuth: { + clientCert?: esmeta.#SecretKeySelector @go(ClientCert) + clientKey?: esmeta.#SecretKeySelector @go(ClientKey) +} + +#TokenAuth: { + bearerToken?: esmeta.#SecretKeySelector @go(BearerToken) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_onepassword_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_onepassword_types_go_gen.cue new file mode 100644 index 000000000..0c2f616a0 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_onepassword_types_go_gen.cue @@ -0,0 +1,30 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +// OnePasswordAuth contains a secretRef for credentials. +#OnePasswordAuth: { + secretRef?: null | #OnePasswordAuthSecretRef @go(SecretRef,*OnePasswordAuthSecretRef) +} + +// OnePasswordAuthSecretRef holds secret references for 1Password credentials. +#OnePasswordAuthSecretRef: { + // The ConnectToken is used for authentication to a 1Password Connect Server. + connectTokenSecretRef: esmeta.#SecretKeySelector @go(ConnectToken) +} + +// OnePasswordProvider configures a store to sync secrets using the 1Password Secret Manager provider. +#OnePasswordProvider: { + // Auth defines the information necessary to authenticate against OnePassword Connect Server + auth?: null | #OnePasswordAuth @go(Auth,*OnePasswordAuth) + + // ConnectHost defines the OnePassword Connect Server to connect to + connectHost: string @go(ConnectHost) + + // Vaults defines which OnePassword vaults to search in which order + vaults: {[string]: int} @go(Vaults,map[string]int) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_oracle_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_oracle_types_go_gen.cue new file mode 100644 index 000000000..e65bd8ddc --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_oracle_types_go_gen.cue @@ -0,0 +1,63 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +#OraclePrincipalType: string // #enumOraclePrincipalType + +#enumOraclePrincipalType: + #UserPrincipal | + #InstancePrincipal | + #WorkloadPrincipal + +// UserPrincipal represents a user principal. +#UserPrincipal: #OraclePrincipalType & "UserPrincipal" + +// InstancePrincipal represents a instance principal. +#InstancePrincipal: #OraclePrincipalType & "InstancePrincipal" + +// WorkloadPrincipal represents a workload principal. +#WorkloadPrincipal: #OraclePrincipalType & "Workload" + +// Configures an store to sync secrets using a Oracle Vault +// backend. +#OracleProvider: { + // Region is the region where vault is located. + region: string @go(Region) + + // Vault is the vault's OCID of the specific vault where secret is located. + vault: string @go(Vault) + + // The type of principal to use for authentication. If left blank, the Auth struct will + // determine the principal type. This optional field must be specified if using + // workload identity. + // +optional + principalType?: #OraclePrincipalType @go(PrincipalType) + + // Auth configures how secret-manager authenticates with the Oracle Vault. + // If empty, use the instance principal, otherwise the user credentials specified in Auth. + // +optional + auth?: null | #OracleAuth @go(Auth,*OracleAuth) +} + +#OracleAuth: { + // Tenancy is the tenancy OCID where user is located. + tenancy: string @go(Tenancy) + + // User is an access OCID specific to the account. + user: string @go(User) + + // SecretRef to pass through sensitive information. + secretRef: #OracleSecretRef @go(SecretRef) +} + +#OracleSecretRef: { + // PrivateKey is the user's API Signing Key in PEM format, used for authentication. + privatekey: esmeta.#SecretKeySelector @go(PrivateKey) + + // Fingerprint is the fingerprint of the API private key. + fingerprint: esmeta.#SecretKeySelector @go(Fingerprint) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_scaleway_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_scaleway_types_go_gen.cue new file mode 100644 index 000000000..41946e7c9 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_scaleway_types_go_gen.cue @@ -0,0 +1,35 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +#ScalewayProviderSecretRef: { + // Value can be specified directly to set a value without using a secret. + // +optional + value?: string @go(Value) + + // SecretRef references a key in a secret that will be used as value. + // +optional + secretRef?: null | esmeta.#SecretKeySelector @go(SecretRef,*esmeta.SecretKeySelector) +} + +#ScalewayProvider: { + // APIURL is the url of the api to use. Defaults to https://api.scaleway.com + // +optional + apiUrl?: string @go(APIURL) + + // Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone + region: string @go(Region) + + // ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings + projectId: string @go(ProjectID) + + // AccessKey is the non-secret part of the api key. + accessKey?: null | #ScalewayProviderSecretRef @go(AccessKey,*ScalewayProviderSecretRef) + + // SecretKey is the non-secret part of the api key. + secretKey?: null | #ScalewayProviderSecretRef @go(SecretKey,*ScalewayProviderSecretRef) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_senhasegura_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_senhasegura_types_go_gen.cue new file mode 100644 index 000000000..8e1fe92a8 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_senhasegura_types_go_gen.cue @@ -0,0 +1,43 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +// SenhaseguraAuth tells the controller how to do auth in senhasegura. +// +#SenhaseguraAuth: { + clientId: string @go(ClientID) + clientSecretSecretRef: esmeta.#SecretKeySelector @go(ClientSecret) +} + +// SenhaseguraModuleType enum defines senhasegura target module to fetch secrets +// +kubebuilder:validation:Enum=DSM +// +#SenhaseguraModuleType: string // #enumSenhaseguraModuleType + +#enumSenhaseguraModuleType: + #SenhaseguraModuleDSM + +// SenhaseguraModuleDSM is the senhasegura DevOps Secrets Management module +// see: https://senhasegura.com/devops +#SenhaseguraModuleDSM: #SenhaseguraModuleType & "DSM" + +// SenhaseguraProvider setup a store to sync secrets with senhasegura. +// +#SenhaseguraProvider: { + // URL of senhasegura + url: string @go(URL) + + // Module defines which senhasegura module should be used to get secrets + module: #SenhaseguraModuleType @go(Module) + + // Auth defines parameters to authenticate in senhasegura + auth: #SenhaseguraAuth @go(Auth) + + // IgnoreSslCertificate defines if SSL certificate must be ignored + // +kubebuilder:default=false + ignoreSslCertificate?: bool @go(IgnoreSslCertificate) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_types_go_gen.cue new file mode 100644 index 000000000..33bcf5261 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_types_go_gen.cue @@ -0,0 +1,257 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1 "k8s.io/api/core/v1" +) + +// SecretStoreSpec defines the desired state of SecretStore. +#SecretStoreSpec: { + // Used to select the correct ESO controller (think: ingress.ingressClassName) + // The ESO controller is instantiated with a specific controller name and filters ES based on this property + // +optional + controller?: string @go(Controller) + + // Used to configure the provider. Only one provider may be set + provider?: null | #SecretStoreProvider @go(Provider,*SecretStoreProvider) + + // Used to configure http retries if failed + // +optional + retrySettings?: null | #SecretStoreRetrySettings @go(RetrySettings,*SecretStoreRetrySettings) + + // Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config. + // +optional + refreshInterval?: int @go(RefreshInterval) + + // Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore + // +optional + conditions?: [...#ClusterSecretStoreCondition] @go(Conditions,[]ClusterSecretStoreCondition) +} + +// ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in +// for a ClusterSecretStore instance. +#ClusterSecretStoreCondition: { + // Choose namespace using a labelSelector + // +optional + namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) + + // Choose namespaces by name + namespaces?: [...string] @go(Namespaces,[]string) +} + +// SecretStoreProvider contains the provider-specific configuration. +// +kubebuilder:validation:MinProperties=1 +// +kubebuilder:validation:MaxProperties=1 +#SecretStoreProvider: { + // AWS configures this store to sync secrets using AWS Secret Manager provider + // +optional + aws?: null | #AWSProvider @go(AWS,*AWSProvider) + + // AzureKV configures this store to sync secrets using Azure Key Vault provider + // +optional + azurekv?: null | #AzureKVProvider @go(AzureKV,*AzureKVProvider) + + // Akeyless configures this store to sync secrets using Akeyless Vault provider + // +optional + akeyless?: null | #AkeylessProvider @go(Akeyless,*AkeylessProvider) + + // Vault configures this store to sync secrets using Hashi provider + // +optional + vault?: null | #VaultProvider @go(Vault,*VaultProvider) + + // GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider + // +optional + gcpsm?: null | #GCPSMProvider @go(GCPSM,*GCPSMProvider) + + // Oracle configures this store to sync secrets using Oracle Vault provider + // +optional + oracle?: null | #OracleProvider @go(Oracle,*OracleProvider) + + // IBM configures this store to sync secrets using IBM Cloud provider + // +optional + ibm?: null | #IBMProvider @go(IBM,*IBMProvider) + + // YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider + // +optional + yandexcertificatemanager?: null | #YandexCertificateManagerProvider @go(YandexCertificateManager,*YandexCertificateManagerProvider) + + // YandexLockbox configures this store to sync secrets using Yandex Lockbox provider + // +optional + yandexlockbox?: null | #YandexLockboxProvider @go(YandexLockbox,*YandexLockboxProvider) + + // GitLab configures this store to sync secrets using GitLab Variables provider + // +optional + gitlab?: null | #GitlabProvider @go(Gitlab,*GitlabProvider) + + // Alibaba configures this store to sync secrets using Alibaba Cloud provider + // +optional + alibaba?: null | #AlibabaProvider @go(Alibaba,*AlibabaProvider) + + // OnePassword configures this store to sync secrets using the 1Password Cloud provider + // +optional + onepassword?: null | #OnePasswordProvider @go(OnePassword,*OnePasswordProvider) + + // Webhook configures this store to sync secrets using a generic templated webhook + // +optional + webhook?: null | #WebhookProvider @go(Webhook,*WebhookProvider) + + // Kubernetes configures this store to sync secrets using a Kubernetes cluster provider + // +optional + kubernetes?: null | #KubernetesProvider @go(Kubernetes,*KubernetesProvider) + + // Fake configures a store with static key/value pairs + // +optional + fake?: null | #FakeProvider @go(Fake,*FakeProvider) + + // Senhasegura configures this store to sync secrets using senhasegura provider + // +optional + senhasegura?: null | #SenhaseguraProvider @go(Senhasegura,*SenhaseguraProvider) + + // Scaleway + // +optional + scaleway?: null | #ScalewayProvider @go(Scaleway,*ScalewayProvider) + + // Doppler configures this store to sync secrets using the Doppler provider + // +optional + doppler?: null | #DopplerProvider @go(Doppler,*DopplerProvider) + + // KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider + // +optional + keepersecurity?: null | #KeeperSecurityProvider @go(KeeperSecurity,*KeeperSecurityProvider) + + // Conjur configures this store to sync secrets using conjur provider + // +optional + conjur?: null | #ConjurProvider @go(Conjur,*ConjurProvider) + + // Delinea DevOps Secrets Vault + // https://docs.delinea.com/online-help/products/devops-secrets-vault/current + // +optional + delinea?: null | #DelineaProvider @go(Delinea,*DelineaProvider) +} + +#CAProviderType: string // #enumCAProviderType + +#enumCAProviderType: + #CAProviderTypeSecret | + #CAProviderTypeConfigMap + +#CAProviderTypeSecret: #CAProviderType & "Secret" +#CAProviderTypeConfigMap: #CAProviderType & "ConfigMap" + +// Used to provide custom certificate authority (CA) certificates +// for a secret store. The CAProvider points to a Secret or ConfigMap resource +// that contains a PEM-encoded certificate. +#CAProvider: { + // The type of provider to use such as "Secret", or "ConfigMap". + // +kubebuilder:validation:Enum="Secret";"ConfigMap" + type: #CAProviderType @go(Type) + + // The name of the object located at the provider type. + name: string @go(Name) + + // The key where the CA certificate can be found in the Secret or ConfigMap. + // +kubebuilder:validation:Optional + key?: string @go(Key) + + // The namespace the Provider type is in. + // Can only be defined when used in a ClusterSecretStore. + // +optional + namespace?: null | string @go(Namespace,*string) +} + +#SecretStoreRetrySettings: { + maxRetries?: null | int32 @go(MaxRetries,*int32) + retryInterval?: null | string @go(RetryInterval,*string) +} + +#SecretStoreConditionType: string // #enumSecretStoreConditionType + +#enumSecretStoreConditionType: + #SecretStoreReady + +#SecretStoreReady: #SecretStoreConditionType & "Ready" +#ReasonInvalidStore: "InvalidStoreConfiguration" +#ReasonInvalidProviderConfig: "InvalidProviderConfig" +#ReasonValidationFailed: "ValidationFailed" +#ReasonStoreValid: "Valid" + +#SecretStoreStatusCondition: { + type: #SecretStoreConditionType @go(Type) + status: corev1.#ConditionStatus @go(Status) + + // +optional + reason?: string @go(Reason) + + // +optional + message?: string @go(Message) + + // +optional + lastTransitionTime?: metav1.#Time @go(LastTransitionTime) +} + +// SecretStoreCapabilities defines the possible operations a SecretStore can do. +#SecretStoreCapabilities: string // #enumSecretStoreCapabilities + +#enumSecretStoreCapabilities: + #SecretStoreReadOnly | + #SecretStoreWriteOnly | + #SecretStoreReadWrite + +#SecretStoreReadOnly: #SecretStoreCapabilities & "ReadOnly" +#SecretStoreWriteOnly: #SecretStoreCapabilities & "WriteOnly" +#SecretStoreReadWrite: #SecretStoreCapabilities & "ReadWrite" + +// SecretStoreStatus defines the observed state of the SecretStore. +#SecretStoreStatus: { + // +optional + conditions: [...#SecretStoreStatusCondition] @go(Conditions,[]SecretStoreStatusCondition) + + // +optional + capabilities: #SecretStoreCapabilities @go(Capabilities) +} + +// SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason` +// +kubebuilder:printcolumn:name="Capabilities",type=string,JSONPath=`.status.capabilities` +// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status` +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Namespaced,categories={externalsecrets},shortName=ss +#SecretStore: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec?: #SecretStoreSpec @go(Spec) + status?: #SecretStoreStatus @go(Status) +} + +// SecretStoreList contains a list of SecretStore resources. +#SecretStoreList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#SecretStore] @go(Items,[]SecretStore) +} + +// ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason` +// +kubebuilder:printcolumn:name="Capabilities",type=string,JSONPath=`.status.capabilities` +// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status` +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster,categories={externalsecrets},shortName=css +#ClusterSecretStore: { + metav1.#TypeMeta + metadata?: metav1.#ObjectMeta @go(ObjectMeta) + spec?: #SecretStoreSpec @go(Spec) + status?: #SecretStoreStatus @go(Status) +} + +// ClusterSecretStoreList contains a list of ClusterSecretStore resources. +#ClusterSecretStoreList: { + metav1.#TypeMeta + metadata?: metav1.#ListMeta @go(ListMeta) + items: [...#ClusterSecretStore] @go(Items,[]ClusterSecretStore) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_validator_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_validator_go_gen.cue new file mode 100644 index 000000000..b6d03b1fe --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_validator_go_gen.cue @@ -0,0 +1,10 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +_#errInvalidStore: "invalid store" + +#GenericStoreValidator: { +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_vault_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_vault_types_go_gen.cue new file mode 100644 index 000000000..b7c340d7a --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_vault_types_go_gen.cue @@ -0,0 +1,325 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +#VaultKVStoreVersion: string // #enumVaultKVStoreVersion + +#enumVaultKVStoreVersion: + #VaultKVStoreV1 | + #VaultKVStoreV2 + +#VaultKVStoreV1: #VaultKVStoreVersion & "v1" +#VaultKVStoreV2: #VaultKVStoreVersion & "v2" + +// Configures an store to sync secrets using a HashiCorp Vault +// KV backend. +#VaultProvider: { + // Auth configures how secret-manager authenticates with the Vault server. + auth: #VaultAuth @go(Auth) + + // Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". + server: string @go(Server) + + // Path is the mount path of the Vault KV backend endpoint, e.g: + // "secret". The v2 KV secret engine version specific "/data" path suffix + // for fetching secrets from Vault is optional and will be appended + // if not present in specified path. + // +optional + path?: null | string @go(Path,*string) + + // Version is the Vault KV secret engine version. This can be either "v1" or + // "v2". Version defaults to "v2". + // +kubebuilder:validation:Optional + // +kubebuilder:validation:Enum="v1";"v2" + // +kubebuilder:default:="v2" + version: #VaultKVStoreVersion @go(Version) + + // Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + // Vault environments to support Secure Multi-tenancy. e.g: "ns1". + // More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + // +optional + namespace?: null | string @go(Namespace,*string) + + // PEM encoded CA bundle used to validate Vault server certificate. Only used + // if the Server URL is using HTTPS protocol. This parameter is ignored for + // plain HTTP protocol connection. If not set the system root certificates + // are used to validate the TLS connection. + // +optional + caBundle?: bytes @go(CABundle,[]byte) + + // The provider for the CA bundle to use to validate Vault server certificate. + // +optional + caProvider?: null | #CAProvider @go(CAProvider,*CAProvider) + + // ReadYourWrites ensures isolated read-after-write semantics by + // providing discovered cluster replication states in each request. + // More information about eventual consistency in Vault can be found here + // https://www.vaultproject.io/docs/enterprise/consistency + // +optional + readYourWrites?: bool @go(ReadYourWrites) + + // ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + // leader instead of simply retrying within a loop. This can increase performance if + // the option is enabled serverside. + // https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + // +optional + forwardInconsistent?: bool @go(ForwardInconsistent) +} + +// VaultAuth is the configuration used to authenticate with a Vault server. +// Only one of `tokenSecretRef`, `appRole`, `kubernetes`, `ldap`, `userPass`, `jwt` or `cert` +// can be specified. +#VaultAuth: { + // TokenSecretRef authenticates with Vault by presenting a token. + // +optional + tokenSecretRef?: null | esmeta.#SecretKeySelector @go(TokenSecretRef,*esmeta.SecretKeySelector) + + // AppRole authenticates with Vault using the App Role auth mechanism, + // with the role and secret stored in a Kubernetes Secret resource. + // +optional + appRole?: null | #VaultAppRole @go(AppRole,*VaultAppRole) + + // Kubernetes authenticates with Vault by passing the ServiceAccount + // token stored in the named Secret resource to the Vault server. + // +optional + kubernetes?: null | #VaultKubernetesAuth @go(Kubernetes,*VaultKubernetesAuth) + + // Ldap authenticates with Vault by passing username/password pair using + // the LDAP authentication method + // +optional + ldap?: null | #VaultLdapAuth @go(Ldap,*VaultLdapAuth) + + // Jwt authenticates with Vault by passing role and JWT token using the + // JWT/OIDC authentication method + // +optional + jwt?: null | #VaultJwtAuth @go(Jwt,*VaultJwtAuth) + + // Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + // Cert authentication method + // +optional + cert?: null | #VaultCertAuth @go(Cert,*VaultCertAuth) + + // Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + // AWS IAM authentication method + // +optional + iam?: null | #VaultIamAuth @go(Iam,*VaultIamAuth) + + // UserPass authenticates with Vault by passing username/password pair + // +optional + userPass?: null | #VaultUserPassAuth @go(UserPass,*VaultUserPassAuth) +} + +// VaultAppRole authenticates with Vault using the App Role auth mechanism, +// with the role and secret stored in a Kubernetes Secret resource. +#VaultAppRole: { + // Path where the App Role authentication backend is mounted + // in Vault, e.g: "approle" + // +kubebuilder:default=approle + path: string @go(Path) + + // RoleID configured in the App Role authentication backend when setting + // up the authentication backend in Vault. + //+optional + roleId?: string @go(RoleID) + + // Reference to a key in a Secret that contains the App Role ID used + // to authenticate with Vault. + // The `key` field must be specified and denotes which entry within the Secret + // resource is used as the app role id. + //+optional + roleRef?: null | esmeta.#SecretKeySelector @go(RoleRef,*esmeta.SecretKeySelector) + + // Reference to a key in a Secret that contains the App Role secret used + // to authenticate with Vault. + // The `key` field must be specified and denotes which entry within the Secret + // resource is used as the app role secret. + secretRef: esmeta.#SecretKeySelector @go(SecretRef) +} + +// Authenticate against Vault using a Kubernetes ServiceAccount token stored in +// a Secret. +#VaultKubernetesAuth: { + // Path where the Kubernetes authentication backend is mounted in Vault, e.g: + // "kubernetes" + // +kubebuilder:default=kubernetes + mountPath: string @go(Path) + + // Optional service account field containing the name of a kubernetes ServiceAccount. + // If the service account is specified, the service account secret token JWT will be used + // for authenticating with Vault. If the service account selector is not supplied, + // the secretRef will be used instead. + // +optional + serviceAccountRef?: null | esmeta.#ServiceAccountSelector @go(ServiceAccountRef,*esmeta.ServiceAccountSelector) + + // Optional secret field containing a Kubernetes ServiceAccount JWT used + // for authenticating with Vault. If a name is specified without a key, + // `token` is the default. If one is not specified, the one bound to + // the controller will be used. + // +optional + secretRef?: null | esmeta.#SecretKeySelector @go(SecretRef,*esmeta.SecretKeySelector) + + // A required field containing the Vault Role to assume. A Role binds a + // Kubernetes ServiceAccount with a set of Vault policies. + role: string @go(Role) +} + +// VaultLdapAuth authenticates with Vault using the LDAP authentication method, +// with the username and password stored in a Kubernetes Secret resource. +#VaultLdapAuth: { + // Path where the LDAP authentication backend is mounted + // in Vault, e.g: "ldap" + // +kubebuilder:default=ldap + path: string @go(Path) + + // Username is a LDAP user name used to authenticate using the LDAP Vault + // authentication method + username: string @go(Username) + + // SecretRef to a key in a Secret resource containing password for the LDAP + // user used to authenticate with Vault using the LDAP authentication + // method + secretRef?: esmeta.#SecretKeySelector @go(SecretRef) +} + +// VaultAwsAuth tells the controller how to do authentication with aws. +// Only one of secretRef or jwt can be specified. +// if none is specified the controller will try to load credentials from its own service account assuming it is IRSA enabled. +#VaultAwsAuth: { + // +optional + secretRef?: null | #VaultAwsAuthSecretRef @go(SecretRef,*VaultAwsAuthSecretRef) + + // +optional + jwt?: null | #VaultAwsJWTAuth @go(JWTAuth,*VaultAwsJWTAuth) +} + +// VaultAWSAuthSecretRef holds secret references for AWS credentials +// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. +#VaultAwsAuthSecretRef: { + // The AccessKeyID is used for authentication + accessKeyIDSecretRef?: esmeta.#SecretKeySelector @go(AccessKeyID) + + // The SecretAccessKey is used for authentication + secretAccessKeySecretRef?: esmeta.#SecretKeySelector @go(SecretAccessKey) + + // The SessionToken used for authentication + // This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + // see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html + // +Optional + sessionTokenSecretRef?: null | esmeta.#SecretKeySelector @go(SessionToken,*esmeta.SecretKeySelector) +} + +// Authenticate against AWS using service account tokens. +#VaultAwsJWTAuth: { + serviceAccountRef?: null | esmeta.#ServiceAccountSelector @go(ServiceAccountRef,*esmeta.ServiceAccountSelector) +} + +// VaultKubernetesServiceAccountTokenAuth authenticates with Vault using a temporary +// Kubernetes service account token retrieved by the `TokenRequest` API. +#VaultKubernetesServiceAccountTokenAuth: { + // Service account field containing the name of a kubernetes ServiceAccount. + serviceAccountRef: esmeta.#ServiceAccountSelector @go(ServiceAccountRef) + + // Optional audiences field that will be used to request a temporary Kubernetes service + // account token for the service account referenced by `serviceAccountRef`. + // Defaults to a single audience `vault` it not specified. + // Deprecated: use serviceAccountRef.Audiences instead + // +optional + audiences?: null | [...string] @go(Audiences,*[]string) + + // Optional expiration time in seconds that will be used to request a temporary + // Kubernetes service account token for the service account referenced by + // `serviceAccountRef`. + // Deprecated: this will be removed in the future. + // Defaults to 10 minutes. + // +optional + expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) +} + +// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication +// method, with the role name and a token stored in a Kubernetes Secret resource or +// a Kubernetes service account token retrieved via `TokenRequest`. +#VaultJwtAuth: { + // Path where the JWT authentication backend is mounted + // in Vault, e.g: "jwt" + // +kubebuilder:default=jwt + path: string @go(Path) + + // Role is a JWT role to authenticate using the JWT/OIDC Vault + // authentication method + // +optional + role: string @go(Role) + + // Optional SecretRef that refers to a key in a Secret resource containing JWT token to + // authenticate with Vault using the JWT/OIDC authentication method. + // +optional + secretRef?: null | esmeta.#SecretKeySelector @go(SecretRef,*esmeta.SecretKeySelector) + + // Optional ServiceAccountToken specifies the Kubernetes service account for which to request + // a token for with the `TokenRequest` API. + // +optional + kubernetesServiceAccountToken?: null | #VaultKubernetesServiceAccountTokenAuth @go(KubernetesServiceAccountToken,*VaultKubernetesServiceAccountTokenAuth) +} + +// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication +// method, with the role name and token stored in a Kubernetes Secret resource. +#VaultCertAuth: { + // ClientCert is a certificate to authenticate using the Cert Vault + // authentication method + // +optional + clientCert?: esmeta.#SecretKeySelector @go(ClientCert) + + // SecretRef to a key in a Secret resource containing client private key to + // authenticate with Vault using the Cert authentication method + secretRef?: esmeta.#SecretKeySelector @go(SecretRef) +} + +// VaultIamAuth authenticates with Vault using the Vault's AWS IAM authentication method. Refer: https://developer.hashicorp.com/vault/docs/auth/aws +#VaultIamAuth: { + // Path where the AWS auth method is enabled in Vault, e.g: "aws" + path?: string @go(Path) + + // AWS region + region?: string @go(Region) + + // This is the AWS role to be assumed before talking to vault + role?: string @go(AWSIAMRole) + + // Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + vaultRole: string @go(Role) + + // AWS External ID set on assumed IAM roles + externalID?: string @go(ExternalID) + + // X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws + vaultAwsIamServerID?: string @go(VaultAWSIAMServerID) + + // Specify credentials in a Secret object + // +optional + secretRef?: null | #VaultAwsAuthSecretRef @go(SecretRef,*VaultAwsAuthSecretRef) + + // Specify a service account with IRSA enabled + // +optional + jwt?: null | #VaultAwsJWTAuth @go(JWTAuth,*VaultAwsJWTAuth) +} + +// VaultUserPassAuth authenticates with Vault using UserPass authentication method, +// with the username and password stored in a Kubernetes Secret resource. +#VaultUserPassAuth: { + // Path where the UserPassword authentication backend is mounted + // in Vault, e.g: "user" + // +kubebuilder:default=user + path: string @go(Path) + + // Username is a user name used to authenticate using the UserPass Vault + // authentication method + username: string @go(Username) + + // SecretRef to a key in a Secret resource containing password for the + // user used to authenticate with Vault using the UserPass authentication + // method + secretRef?: esmeta.#SecretKeySelector @go(SecretRef) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_webhook_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_webhook_types_go_gen.cue new file mode 100644 index 000000000..cd09d5201 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_webhook_types_go_gen.cue @@ -0,0 +1,92 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" +) + +// AkeylessProvider Configures an store to sync secrets using Akeyless KV. +#WebhookProvider: { + // Webhook Method + // +optional, default GET + method?: string @go(Method) + + // Webhook url to call + url: string @go(URL) + + // Headers + // +optional + headers?: {[string]: string} @go(Headers,map[string]string) + + // Body + // +optional + body?: string @go(Body) + + // Timeout + // +optional + timeout?: null | metav1.#Duration @go(Timeout,*metav1.Duration) + + // Result formatting + result: #WebhookResult @go(Result) + + // Secrets to fill in templates + // These secrets will be passed to the templating function as key value pairs under the given name + // +optional + secrets?: [...#WebhookSecret] @go(Secrets,[]WebhookSecret) + + // PEM encoded CA bundle used to validate webhook server certificate. Only used + // if the Server URL is using HTTPS protocol. This parameter is ignored for + // plain HTTP protocol connection. If not set the system root certificates + // are used to validate the TLS connection. + // +optional + caBundle?: bytes @go(CABundle,[]byte) + + // The provider for the CA bundle to use to validate webhook server certificate. + // +optional + caProvider?: null | #WebhookCAProvider @go(CAProvider,*WebhookCAProvider) +} + +#WebhookCAProviderType: string // #enumWebhookCAProviderType + +#enumWebhookCAProviderType: + #WebhookCAProviderTypeSecret | + #WebhookCAProviderTypeConfigMap + +#WebhookCAProviderTypeSecret: #WebhookCAProviderType & "Secret" +#WebhookCAProviderTypeConfigMap: #WebhookCAProviderType & "ConfigMap" + +// Defines a location to fetch the cert for the webhook provider from. +#WebhookCAProvider: { + // The type of provider to use such as "Secret", or "ConfigMap". + // +kubebuilder:validation:Enum="Secret";"ConfigMap" + type: #WebhookCAProviderType @go(Type) + + // The name of the object located at the provider type. + name: string @go(Name) + + // The key the value inside of the provider type to use, only used with "Secret" type + // +kubebuilder:validation:Optional + key?: string @go(Key) + + // The namespace the Provider type is in. + // +optional + namespace?: null | string @go(Namespace,*string) +} + +#WebhookResult: { + // Json path of return value + // +optional + jsonPath?: string @go(JSONPath) +} + +#WebhookSecret: { + // Name of this secret in templates + name: string @go(Name) + + // Secret ref to fill in credentials + secretRef: esmeta.#SecretKeySelector @go(SecretRef) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_yandexcertificatemanager_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_yandexcertificatemanager_types_go_gen.cue new file mode 100644 index 000000000..e479abb92 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_yandexcertificatemanager_types_go_gen.cue @@ -0,0 +1,31 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +#YandexCertificateManagerAuth: { + // The authorized key used for authentication + // +optional + authorizedKeySecretRef?: esmeta.#SecretKeySelector @go(AuthorizedKey) +} + +#YandexCertificateManagerCAProvider: { + certSecretRef?: esmeta.#SecretKeySelector @go(Certificate) +} + +// YandexCertificateManagerProvider Configures a store to sync secrets using the Yandex Certificate Manager provider. +#YandexCertificateManagerProvider: { + // Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') + // +optional + apiEndpoint?: string @go(APIEndpoint) + + // Auth defines the information necessary to authenticate against Yandex Certificate Manager + auth: #YandexCertificateManagerAuth @go(Auth) + + // The provider for the CA bundle to use to validate Yandex.Cloud server certificate. + // +optional + caProvider?: null | #YandexCertificateManagerCAProvider @go(CAProvider,*YandexCertificateManagerCAProvider) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_yandexlockbox_types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_yandexlockbox_types_go_gen.cue new file mode 100644 index 000000000..f2f887a6c --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1/secretstore_yandexlockbox_types_go_gen.cue @@ -0,0 +1,31 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1 + +package v1beta1 + +import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1" + +#YandexLockboxAuth: { + // The authorized key used for authentication + // +optional + authorizedKeySecretRef?: esmeta.#SecretKeySelector @go(AuthorizedKey) +} + +#YandexLockboxCAProvider: { + certSecretRef?: esmeta.#SecretKeySelector @go(Certificate) +} + +// YandexLockboxProvider Configures a store to sync secrets using the Yandex Lockbox provider. +#YandexLockboxProvider: { + // Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443') + // +optional + apiEndpoint?: string @go(APIEndpoint) + + // Auth defines the information necessary to authenticate against Yandex Lockbox + auth: #YandexLockboxAuth @go(Auth) + + // The provider for the CA bundle to use to validate Yandex.Cloud server certificate. + // +optional + caProvider?: null | #YandexLockboxCAProvider @go(CAProvider,*YandexLockboxCAProvider) +} diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1/BUILD.bazel b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1/BUILD.bazel new file mode 100644 index 000000000..e223796a0 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1/BUILD.bazel @@ -0,0 +1,11 @@ +load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library") + +cue_library( + name = "cue_v1_library", + srcs = [ + "doc_go_gen.cue", + "types_go_gen.cue", + ], + importpath = "github.com/external-secrets/external-secrets/apis/meta/v1", + visibility = ["//visibility:public"], +) diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1/doc_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1/doc_go_gen.cue new file mode 100644 index 000000000..5e3d74032 --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1/doc_go_gen.cue @@ -0,0 +1,7 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/meta/v1 + +// Package meta contains meta types for external-secrets APIs +// +kubebuilder:object:generate=true +package v1 diff --git a/cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1/types_go_gen.cue b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1/types_go_gen.cue new file mode 100644 index 000000000..bd9072caf --- /dev/null +++ b/cue.mod/gen/github.com/external-secrets/external-secrets/apis/meta/v1/types_go_gen.cue @@ -0,0 +1,39 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go github.com/external-secrets/external-secrets/apis/meta/v1 + +package v1 + +// A reference to a specific 'key' within a Secret resource, +// In some instances, `key` is a required field. +#SecretKeySelector: { + // The name of the Secret resource being referred to. + name?: string @go(Name) + + // Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + // to the namespace of the referent. + // +optional + namespace?: null | string @go(Namespace,*string) + + // The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + // defaulted, in others it may be required. + // +optional + key?: string @go(Key) +} + +// A reference to a ServiceAccount resource. +#ServiceAccountSelector: { + // The name of the ServiceAccount resource being referred to. + name: string @go(Name) + + // Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + // to the namespace of the referent. + // +optional + namespace?: null | string @go(Namespace,*string) + + // Audience specifies the `aud` claim for the service account token + // If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + // then this audiences will be appended to the list + // +optional + audiences?: [...string] @go(Audiences,[]string) +} diff --git a/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue index 83ac7cc84..d3ecc8345 100644 --- a/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue +++ b/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue @@ -16,6 +16,7 @@ import ( #DeprecatedRollbackTo: "deprecated.deployment.rollback.to" #DeprecatedTemplateGeneration: "deprecated.daemonset.template.generation" #StatefulSetPodNameLabel: "statefulset.kubernetes.io/pod-name" +#PodIndexLabel: "apps.kubernetes.io/pod-index" // StatefulSet represents a set of pods with consistent identities. // Identities are defined as: diff --git a/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue b/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue index 7dd051294..3a3027906 100644 --- a/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue +++ b/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue @@ -42,10 +42,10 @@ package v1 // AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile. #AppArmorBetaContainerAnnotationKeyPrefix: "container.apparmor.security.beta.kubernetes.io/" -// AppArmorBetaDefaultProfileAnnotatoinKey is the annotation key specifying the default AppArmor profile. +// AppArmorBetaDefaultProfileAnnotationKey is the annotation key specifying the default AppArmor profile. #AppArmorBetaDefaultProfileAnnotationKey: "apparmor.security.beta.kubernetes.io/defaultProfileName" -// AppArmorBetaAllowedProfileAnnotationKey is the annotation key specifying the allowed AppArmor profiles. +// AppArmorBetaAllowedProfilesAnnotationKey is the annotation key specifying the allowed AppArmor profiles. #AppArmorBetaAllowedProfilesAnnotationKey: "apparmor.security.beta.kubernetes.io/allowedProfileNames" // AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default. @@ -65,7 +65,7 @@ package v1 // in the Annotations of a Node. #PreferAvoidPodsAnnotationKey: "scheduler.alpha.kubernetes.io/preferAvoidPods" -// ObjectTTLAnnotations represents a suggestion for kubelet for how long it can cache +// ObjectTTLAnnotationKey represents a suggestion for kubelet for how long it can cache // an object (e.g. secret, config map) before fetching it again from apiserver. // This annotation can be attached to node. #ObjectTTLAnnotationKey: "node.alpha.kubernetes.io/ttl" diff --git a/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue index d8d8a3b82..d87edcff5 100644 --- a/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue +++ b/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue @@ -459,6 +459,13 @@ import ( // for machine parsing and tidy display in the CLI. // +optional reason?: string @go(Reason) @protobuf(3,bytes,opt) + + // lastPhaseTransitionTime is the time the phase transitioned from one to another + // and automatically resets to current time everytime a volume phase transitions. + // This is an alpha field and requires enabling PersistentVolumeLastPhaseTransitionTime feature. + // +featureGate=PersistentVolumeLastPhaseTransitionTime + // +optional + lastPhaseTransitionTime?: null | metav1.#Time @go(LastPhaseTransitionTime,*metav1.Time) @protobuf(4,bytes,opt) } // PersistentVolumeList is a list of PersistentVolume items. @@ -617,35 +624,35 @@ import ( #PersistentVolumeClaimFileSystemResizePending: #PersistentVolumeClaimConditionType & "FileSystemResizePending" // +enum -#PersistentVolumeClaimResizeStatus: string // #enumPersistentVolumeClaimResizeStatus - -#enumPersistentVolumeClaimResizeStatus: - #PersistentVolumeClaimNoExpansionInProgress | - #PersistentVolumeClaimControllerExpansionInProgress | - #PersistentVolumeClaimControllerExpansionFailed | - #PersistentVolumeClaimNodeExpansionPending | - #PersistentVolumeClaimNodeExpansionInProgress | - #PersistentVolumeClaimNodeExpansionFailed - -// When expansion is complete, the empty string is set by resize controller or kubelet. -#PersistentVolumeClaimNoExpansionInProgress: #PersistentVolumeClaimResizeStatus & "" - -// State set when resize controller starts expanding the volume in control-plane -#PersistentVolumeClaimControllerExpansionInProgress: #PersistentVolumeClaimResizeStatus & "ControllerExpansionInProgress" - -// State set when expansion has failed in resize controller with a terminal error. -// Transient errors such as timeout should not set this status and should leave ResizeStatus +// When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource +// that it does not recognizes, then it should ignore that update and let other controllers +// handle it. +#ClaimResourceStatus: string // #enumClaimResourceStatus + +#enumClaimResourceStatus: + #PersistentVolumeClaimControllerResizeInProgress | + #PersistentVolumeClaimControllerResizeFailed | + #PersistentVolumeClaimNodeResizePending | + #PersistentVolumeClaimNodeResizeInProgress | + #PersistentVolumeClaimNodeResizeFailed + +// State set when resize controller starts resizing the volume in control-plane. +#PersistentVolumeClaimControllerResizeInProgress: #ClaimResourceStatus & "ControllerResizeInProgress" + +// State set when resize has failed in resize controller with a terminal error. +// Transient errors such as timeout should not set this status and should leave allocatedResourceStatus // unmodified, so as resize controller can resume the volume expansion. -#PersistentVolumeClaimControllerExpansionFailed: #PersistentVolumeClaimResizeStatus & "ControllerExpansionFailed" +#PersistentVolumeClaimControllerResizeFailed: #ClaimResourceStatus & "ControllerResizeFailed" -// State set when resize controller has finished expanding the volume but further expansion is needed on the node. -#PersistentVolumeClaimNodeExpansionPending: #PersistentVolumeClaimResizeStatus & "NodeExpansionPending" +// State set when resize controller has finished resizing the volume but further resizing of volume +// is needed on the node. +#PersistentVolumeClaimNodeResizePending: #ClaimResourceStatus & "NodeResizePending" -// State set when kubelet starts expanding the volume. -#PersistentVolumeClaimNodeExpansionInProgress: #PersistentVolumeClaimResizeStatus & "NodeExpansionInProgress" +// State set when kubelet starts resizing the volume. +#PersistentVolumeClaimNodeResizeInProgress: #ClaimResourceStatus & "NodeResizeInProgress" -// State set when expansion has failed in kubelet with a terminal error. Transient errors don't set NodeExpansionFailed. -#PersistentVolumeClaimNodeExpansionFailed: #PersistentVolumeClaimResizeStatus & "NodeExpansionFailed" +// State set when resizing has failed in kubelet with a terminal error. Transient errors don't set NodeResizeFailed +#PersistentVolumeClaimNodeResizeFailed: #ClaimResourceStatus & "NodeResizeFailed" // PersistentVolumeClaimCondition contains details about state of pvc #PersistentVolumeClaimCondition: { @@ -693,25 +700,71 @@ import ( // +patchStrategy=merge conditions?: [...#PersistentVolumeClaimCondition] @go(Conditions,[]PersistentVolumeClaimCondition) @protobuf(4,bytes,rep) - // allocatedResources is the storage resource within AllocatedResources tracks the capacity allocated to a PVC. It may - // be larger than the actual capacity when a volume expansion operation is requested. + // allocatedResources tracks the resources allocated to a PVC including its capacity. + // Key names follow standard Kubernetes label syntax. Valid values are either: + // * Un-prefixed keys: + // - storage - the capacity of the volume. + // * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource" + // Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered + // reserved and hence may not be used. + // + // Capacity reported here may be larger than the actual capacity when a volume expansion operation + // is requested. // For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. // If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. // If a volume expansion capacity request is lowered, allocatedResources is only // lowered if there are no expansion operations in progress and if the actual volume capacity // is equal or lower than the requested capacity. + // + // A controller that receives PVC update with previously unknown resourceName + // should ignore the update for the purpose it was designed. For example - a controller that + // only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid + // resources associated with PVC. + // // This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature. // +featureGate=RecoverVolumeExpansionFailure // +optional allocatedResources?: #ResourceList @go(AllocatedResources) @protobuf(5,bytes,rep,casttype=ResourceList,castkey=ResourceName) - // resizeStatus stores status of resize operation. - // ResizeStatus is not set by default but when expansion is complete resizeStatus is set to empty - // string by resize controller or kubelet. + // allocatedResourceStatuses stores status of resource being resized for the given PVC. + // Key names follow standard Kubernetes label syntax. Valid values are either: + // * Un-prefixed keys: + // - storage - the capacity of the volume. + // * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource" + // Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered + // reserved and hence may not be used. + // + // ClaimResourceStatus can be in any of following states: + // - ControllerResizeInProgress: + // State set when resize controller starts resizing the volume in control-plane. + // - ControllerResizeFailed: + // State set when resize has failed in resize controller with a terminal error. + // - NodeResizePending: + // State set when resize controller has finished resizing the volume but further resizing of + // volume is needed on the node. + // - NodeResizeInProgress: + // State set when kubelet starts resizing the volume. + // - NodeResizeFailed: + // State set when resizing has failed in kubelet with a terminal error. Transient errors don't set + // NodeResizeFailed. + // For example: if expanding a PVC for more capacity - this field can be one of the following states: + // - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeInProgress" + // - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeFailed" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizePending" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeInProgress" + // - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeFailed" + // When this field is not set, it means that no resize operation is in progress for the given PVC. + // + // A controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus + // should ignore the update for the purpose it was designed. For example - a controller that + // only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid + // resources associated with PVC. + // // This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature. // +featureGate=RecoverVolumeExpansionFailure + // +mapType=granular // +optional - resizeStatus?: null | #PersistentVolumeClaimResizeStatus @go(ResizeStatus,*PersistentVolumeClaimResizeStatus) @protobuf(6,bytes,opt,casttype=PersistentVolumeClaimResizeStatus) + allocatedResourceStatuses?: {[string]: #ClaimResourceStatus} @go(AllocatedResourceStatuses,map[ResourceName]ClaimResourceStatus) @protobuf(7,bytes,rep) } // +enum @@ -2762,6 +2815,25 @@ import ( // +listType=atomic resizePolicy?: [...#ContainerResizePolicy] @go(ResizePolicy,[]ContainerResizePolicy) @protobuf(23,bytes,rep) + // RestartPolicy defines the restart behavior of individual containers in a pod. + // This field may only be set for init containers, and the only allowed value is "Always". + // For non-init containers or when this field is not specified, + // the restart behavior is defined by the Pod's restart policy and the container type. + // Setting the RestartPolicy as "Always" for the init container will have the following effect: + // this init container will be continually restarted on + // exit until all regular containers have terminated. Once all regular + // containers have completed, all init containers with restartPolicy "Always" + // will be shut down. This lifecycle differs from normal init containers and + // is often referred to as a "sidecar" container. Although this init + // container still starts in the init container sequence, it does not wait + // for the container to complete before proceeding to the next init + // container. Instead, the next init container starts immediately after this + // init container is started, or after any startupProbe has successfully + // completed. + // +featureGate=SidecarContainers + // +optional + restartPolicy?: null | #ContainerRestartPolicy @go(RestartPolicy,*ContainerRestartPolicy) @protobuf(24,bytes,opt,casttype=ContainerRestartPolicy) + // Pod volumes to mount into the container's filesystem. // Cannot be updated. // +optional @@ -3217,6 +3289,15 @@ import ( #RestartPolicyOnFailure: #RestartPolicy & "OnFailure" #RestartPolicyNever: #RestartPolicy & "Never" +// ContainerRestartPolicy is the restart policy for a single container. +// This may only be set for init containers and only allowed value is "Always". +#ContainerRestartPolicy: string // #enumContainerRestartPolicy + +#enumContainerRestartPolicy: + #ContainerRestartPolicyAlways + +#ContainerRestartPolicyAlways: #ContainerRestartPolicy & "Always" + // DNSPolicy defines how a pod's DNS will be configured. // +enum #DNSPolicy: string // #enumDNSPolicy @@ -3930,15 +4011,9 @@ import ( // // The template will be used to create a new ResourceClaim, which will // be bound to this pod. When this pod is deleted, the ResourceClaim - // will also be deleted. The name of the ResourceClaim will be -, where is the - // PodResourceClaim.Name. Pod validation will reject the pod if the - // concatenated name is not valid for a ResourceClaim (e.g. too long). - // - // An existing ResourceClaim with that name that is not owned by the - // pod will not be used for the pod to avoid using an unrelated - // resource by mistake. Scheduling and pod startup are then blocked - // until the unrelated ResourceClaim is removed. + // will also be deleted. The pod name and resource name, along with a + // generated component, will be used to form a unique name for the + // ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses. // // This field is immutable and no changes will be made to the // corresponding ResourceClaim by the control plane after creating the @@ -3946,6 +4021,24 @@ import ( resourceClaimTemplateName?: null | string @go(ResourceClaimTemplateName,*string) @protobuf(2,bytes,opt) } +// PodResourceClaimStatus is stored in the PodStatus for each PodResourceClaim +// which references a ResourceClaimTemplate. It stores the generated name for +// the corresponding ResourceClaim. +#PodResourceClaimStatus: { + // Name uniquely identifies this resource claim inside the pod. + // This must match the name of an entry in pod.spec.resourceClaims, + // which implies that the string must be a DNS_LABEL. + name: string @go(Name) @protobuf(1,bytes) + + // ResourceClaimName is the name of the ResourceClaim that was + // generated for the Pod in the namespace of the Pod. It this is + // unset, then generating a ResourceClaim was not necessary. The + // pod.spec.resourceClaims entry can be ignored in this case. + // + // +optional + resourceClaimName?: null | string @go(ResourceClaimName,*string) @protobuf(2,bytes,opt) +} + // OSName is the set of OS'es that can be used in OS. #OSName: string // #enumOSName @@ -4270,7 +4363,7 @@ import ( // localhostProfile indicates a profile defined in a file on the node should be used. // The profile must be preconfigured on the node to work. // Must be a descending path, relative to the kubelet's configured seccomp profile location. - // Must only be set if type is "Localhost". + // Must be set if type is "Localhost". Must NOT be set for any other type. // +optional localhostProfile?: null | string @go(LocalhostProfile,*string) @protobuf(2,bytes,opt) } @@ -4344,12 +4437,15 @@ import ( value?: null | string @go(Value,*string) @protobuf(2,bytes,opt) } -// IP address information for entries in the (plural) PodIPs field. -// Each entry includes: -// -// IP: An IP address allocated to the pod. Routable at least within the cluster. +// PodIP represents a single IP address allocated to the pod. #PodIP: { - // ip is an IP address (IPv4 or IPv6) assigned to the pod + // IP is the IP address assigned to the pod + ip?: string @go(IP) @protobuf(1,bytes,opt) +} + +// HostIP represents a single IP address allocated to the host. +#HostIP: { + // IP is the IP address assigned to the host ip?: string @go(IP) @protobuf(1,bytes,opt) } @@ -4431,6 +4527,14 @@ import ( // +listType=atomic resizePolicy?: [...#ContainerResizePolicy] @go(ResizePolicy,[]ContainerResizePolicy) @protobuf(23,bytes,rep) + // Restart policy for the container to manage the restart behavior of each + // container within a pod. + // This may only be set for init containers. You cannot set this field on + // ephemeral containers. + // +featureGate=SidecarContainers + // +optional + restartPolicy?: null | #ContainerRestartPolicy @go(RestartPolicy,*ContainerRestartPolicy) @protobuf(24,bytes,opt,casttype=ContainerRestartPolicy) + // Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers. // Cannot be updated. // +optional @@ -4587,11 +4691,23 @@ import ( // +optional nominatedNodeName?: string @go(NominatedNodeName) @protobuf(11,bytes,opt) - // IP address of the host to which the pod is assigned. Empty if not yet scheduled. + // hostIP holds the IP address of the host to which the pod is assigned. Empty if the pod has not started yet. + // A pod can be assigned to a node that has a problem in kubelet which in turns mean that HostIP will + // not be updated even if there is a node is assigned to pod // +optional hostIP?: string @go(HostIP) @protobuf(5,bytes,opt) - // IP address allocated to the pod. Routable at least within the cluster. + // hostIPs holds the IP addresses allocated to the host. If this field is specified, the first entry must + // match the hostIP field. This list is empty if the pod has not started yet. + // A pod can be assigned to a node that has a problem in kubelet which in turns means that HostIPs will + // not be updated even if there is a node is assigned to this pod. + // +optional + // +patchStrategy=merge + // +patchMergeKey=ip + // +listType=atomic + hostIPs?: [...#HostIP] @go(HostIPs,[]HostIP) @protobuf(16,bytes,rep) + + // podIP address allocated to the pod. Routable at least within the cluster. // Empty if not yet allocated. // +optional podIP?: string @go(PodIP) @protobuf(6,bytes,opt) @@ -4636,6 +4752,15 @@ import ( // +featureGate=InPlacePodVerticalScaling // +optional resize?: #PodResizeStatus @go(Resize) @protobuf(14,bytes,opt,casttype=PodResizeStatus) + + // Status of resource claims. + // +patchMergeKey=name + // +patchStrategy=merge,retainKeys + // +listType=map + // +listMapKey=name + // +featureGate=DynamicResourceAllocation + // +optional + resourceClaimStatuses?: [...#PodResourceClaimStatus] @go(ResourceClaimStatuses,[]PodResourceClaimStatus) @protobuf(15,bytes,rep) } // PodStatusResult is a wrapper for PodStatus returned by kubelet that can be encode/decoded @@ -5193,10 +5318,9 @@ import ( // This feature depends on whether the underlying cloud-provider supports specifying // the loadBalancerIP when a load balancer is created. // This field will be ignored if the cloud-provider does not support the feature. - // Deprecated: This field was under-specified and its meaning varies across implementations, - // and it cannot support dual-stack. - // As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. - // This field may be removed in a future API version. + // Deprecated: This field was under-specified and its meaning varies across implementations. + // Using it is non-portable and it may not support dual-stack. + // Users are encouraged to use implementation-specific annotations when available. // +optional loadBalancerIP?: string @go(LoadBalancerIP) @protobuf(8,bytes,opt) @@ -5339,10 +5463,19 @@ import ( protocol?: #Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol) // The application protocol for this port. + // This is used as a hint for implementations to offer richer behavior for protocols that they understand. // This field follows standard Kubernetes label syntax. - // Un-prefixed names are reserved for IANA standard service names (as per + // Valid values are either: + // + // * Un-prefixed protocol names - reserved for IANA standard service names (as per // RFC-6335 and https://www.iana.org/assignments/service-names). - // Non-standard protocols should use prefixed names such as + // + // * Kubernetes-defined prefixed names: + // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 + // + // * Other protocols should use implementation-defined prefixed names such as // mycompany.com/my-custom-protocol. // +optional appProtocol?: null | string @go(AppProtocol,*string) @protobuf(6,bytes,opt) @@ -5576,6 +5709,8 @@ import ( // // * Kubernetes-defined prefixed names: // * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540 + // * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 + // * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 // // * Other protocols should use implementation-defined prefixed names such as // mycompany.com/my-custom-protocol. @@ -7362,12 +7497,9 @@ import ( runAsUserName?: null | string @go(RunAsUserName,*string) @protobuf(3,bytes,opt) // HostProcess determines if a container should be run as a 'Host Process' container. - // This field is alpha-level and will only be honored by components that enable the - // WindowsHostProcessContainers feature flag. Setting this field without the feature - // flag will result in errors when validating the Pod. All of a Pod's containers must - // have the same effective HostProcess value (it is not allowed to have a mix of HostProcess - // containers and non-HostProcess containers). In addition, if HostProcess is true - // then HostNetwork must also be set to true. + // All of a Pod's containers must have the same effective HostProcess value + // (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + // In addition, if HostProcess is true then HostNetwork must also be set to true. // +optional hostProcess?: null | bool @go(HostProcess,*bool) @protobuf(4,bytes,opt) } diff --git a/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue b/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue index cdb1cd63e..2a1f060b6 100644 --- a/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue +++ b/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue @@ -4,9 +4,13 @@ package v1 -#LabelHostname: "kubernetes.io/hostname" -#LabelTopologyZone: "topology.kubernetes.io/zone" -#LabelTopologyRegion: "topology.kubernetes.io/region" +#LabelHostname: "kubernetes.io/hostname" + +// Label value is the network location of kube-apiserver stored as +// Stored in APIServer Identity lease objects to view what address is used for peer proxy +#AnnotationPeerAdvertiseAddress: "kubernetes.io/peer-advertise-address" +#LabelTopologyZone: "topology.kubernetes.io/zone" +#LabelTopologyRegion: "topology.kubernetes.io/region" // These label have been deprecated since 1.17, but will be supported for // the foreseeable future, to accommodate things like long-lived PVs that diff --git a/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue index 87450acec..bbdc7f2b1 100644 --- a/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue +++ b/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue @@ -22,11 +22,6 @@ import ( // spec represents the specification of the desired behavior for this NetworkPolicy. // +optional spec?: #NetworkPolicySpec @go(Spec) @protobuf(2,bytes,opt) - - // status represents the current state of the NetworkPolicy. - // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - // +optional - status?: #NetworkPolicyStatus @go(Status) @protobuf(3,bytes,opt) } // PolicyType string describes the NetworkPolicy type @@ -193,52 +188,6 @@ import ( ipBlock?: null | #IPBlock @go(IPBlock,*IPBlock) @protobuf(3,bytes,rep) } -// NetworkPolicyConditionType is the type for status conditions on -// a NetworkPolicy. This type should be used with the -// NetworkPolicyStatus.Conditions field. -#NetworkPolicyConditionType: string // #enumNetworkPolicyConditionType - -#enumNetworkPolicyConditionType: - #NetworkPolicyConditionStatusAccepted | - #NetworkPolicyConditionStatusPartialFailure | - #NetworkPolicyConditionStatusFailure - -// NetworkPolicyConditionStatusAccepted represents status of a Network Policy that could be properly parsed by -// the Network Policy provider and will be implemented in the cluster -#NetworkPolicyConditionStatusAccepted: #NetworkPolicyConditionType & "Accepted" - -// NetworkPolicyConditionStatusPartialFailure represents status of a Network Policy that could be partially -// parsed by the Network Policy provider and may not be completely implemented due to a lack of a feature or some -// other condition -#NetworkPolicyConditionStatusPartialFailure: #NetworkPolicyConditionType & "PartialFailure" - -// NetworkPolicyConditionStatusFailure represents status of a Network Policy that could not be parsed by the -// Network Policy provider and will not be implemented in the cluster -#NetworkPolicyConditionStatusFailure: #NetworkPolicyConditionType & "Failure" - -// NetworkPolicyConditionReason defines the set of reasons that explain why a -// particular NetworkPolicy condition type has been raised. -#NetworkPolicyConditionReason: string // #enumNetworkPolicyConditionReason - -#enumNetworkPolicyConditionReason: - #NetworkPolicyConditionReasonFeatureNotSupported - -// NetworkPolicyConditionReasonFeatureNotSupported represents a reason where the Network Policy may not have been -// implemented in the cluster due to a lack of some feature not supported by the Network Policy provider -#NetworkPolicyConditionReasonFeatureNotSupported: #NetworkPolicyConditionReason & "FeatureNotSupported" - -// NetworkPolicyStatus describes the current state of the NetworkPolicy. -#NetworkPolicyStatus: { - // conditions holds an array of metav1.Condition that describe the state of the NetworkPolicy. - // Current service state - // +optional - // +patchMergeKey=type - // +patchStrategy=merge - // +listType=map - // +listMapKey=type - conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) @protobuf(1,bytes,rep) -} - // NetworkPolicyList is a list of NetworkPolicy objects. #NetworkPolicyList: { metav1.#TypeMeta diff --git a/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue b/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue index 4d97b43e9..19f42c1ff 100644 --- a/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue +++ b/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue @@ -4,6 +4,33 @@ package v1 +// FieldValueErrorReason is a machine-readable value providing more detail about why a field failed the validation. +// +enum +#FieldValueErrorReason: string // #enumFieldValueErrorReason + +#enumFieldValueErrorReason: + #FieldValueRequired | + #FieldValueDuplicate | + #FieldValueInvalid | + #FieldValueForbidden + +// FieldValueRequired is used to report required values that are not +// provided (e.g. empty strings, null values, or empty arrays). +#FieldValueRequired: #FieldValueErrorReason & "FieldValueRequired" + +// FieldValueDuplicate is used to report collisions of values that must be +// unique (e.g. unique IDs). +#FieldValueDuplicate: #FieldValueErrorReason & "FieldValueDuplicate" + +// FieldValueInvalid is used to report malformed values (e.g. failed regex +// match, too long, out of bounds). +#FieldValueInvalid: #FieldValueErrorReason & "FieldValueInvalid" + +// FieldValueForbidden is used to report valid (as per formatting rules) +// values which would be accepted under some conditions, but which are not +// permitted by the current conditions (such as security policy). +#FieldValueForbidden: #FieldValueErrorReason & "FieldValueForbidden" + // JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/). #JSONSchemaProps: { id?: string @go(ID) @protobuf(1,bytes,opt) @@ -237,6 +264,26 @@ package v1 // "x must be less than max ("+string(self.max)+")" // +optional messageExpression?: string @go(MessageExpression) @protobuf(3,bytes,opt) + + // reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule. + // The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule. + // The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate". + // If not set, default to use "FieldValueInvalid". + // All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid. + // +optional + reason?: null | #FieldValueErrorReason @go(Reason,*FieldValueErrorReason) @protobuf(4,bytes,opt) + + // fieldPath represents the field path returned when the validation fails. + // It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field. + // e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo` + // If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList` + // It does not support list numeric index. + // It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info. + // Numeric index of array is not supported. + // For field name which contains special characters, use `['specialName']` to refer the field name. + // e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']` + // +optional + fieldPath?: string @go(FieldPath) @protobuf(5,bytes,opt) } // JSON represents any valid JSON value. diff --git a/cue.mod/gen/pkg.go.dev/net/url/BUILD.bazel b/cue.mod/gen/pkg.go.dev/net/url/BUILD.bazel new file mode 100644 index 000000000..f1a39f5a5 --- /dev/null +++ b/cue.mod/gen/pkg.go.dev/net/url/BUILD.bazel @@ -0,0 +1,8 @@ +load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library") + +cue_library( + name = "cue_url_library", + srcs = ["url_go_gen.cue"], + importpath = "pkg.go.dev/net/url", + visibility = ["//visibility:public"], +) diff --git a/cue.mod/gen/pkg.go.dev/net/url/url_go_gen.cue b/cue.mod/gen/pkg.go.dev/net/url/url_go_gen.cue new file mode 100644 index 000000000..535234335 --- /dev/null +++ b/cue.mod/gen/pkg.go.dev/net/url/url_go_gen.cue @@ -0,0 +1,69 @@ +// Code generated by cue get go. DO NOT EDIT. + +//cue:generate cue get go net/url + +// Package url parses URLs and implements query escaping. +package url + +// Error reports an error and the operation and URL that caused it. +#Error: { + Op: string + URL: string + Err: _ @go(,error) +} + +_#upperhex: "0123456789ABCDEF" + +_#encoding: int + +_#encodePath: _#encoding & 1 +_#encodePathSegment: _#encoding & 2 +_#encodeHost: _#encoding & 3 +_#encodeZone: _#encoding & 4 +_#encodeUserPassword: _#encoding & 5 +_#encodeQueryComponent: _#encoding & 6 +_#encodeFragment: _#encoding & 7 + +#EscapeError: string + +#InvalidHostError: string + +// A URL represents a parsed URL (technically, a URI reference). +// +// The general form represented is: +// +// [scheme:][//[userinfo@]host][/]path[?query][#fragment] +// +// URLs that do not start with a slash after the scheme are interpreted as: +// +// scheme:opaque[?query][#fragment] +// +// Note that the Path field is stored in decoded form: /%47%6f%2f becomes /Go/. +// A consequence is that it is impossible to tell which slashes in the Path were +// slashes in the raw URL and which were %2f. This distinction is rarely important, +// but when it is, the code should use the EscapedPath method, which preserves +// the original encoding of Path. +// +// The RawPath field is an optional field which is only set when the default +// encoding of Path is different from the escaped path. See the EscapedPath method +// for more details. +// +// URL's String method uses the EscapedPath method to obtain the path. +#URL: { + Scheme: string + Opaque: string + Host: string + Path: string + RawPath: string + OmitHost: bool + ForceQuery: bool + RawQuery: string + Fragment: string + RawFragment: string +} + +// Values maps a string key to a list of values. +// It is typically used for query parameters and form values. +// Unlike in the http.Header map, the keys in a Values map +// are case-sensitive. +#Values: {[string]: [...string]} diff --git a/go.mod b/go.mod index c0806396a..829da604e 100644 --- a/go.mod +++ b/go.mod @@ -1,12 +1,15 @@ module github.com/uhthomas/automata -go 1.19 +go 1.21 require ( - cuelang.org/go v0.6.0 + cuelang.org/go v0.6.1-0.20231104111545-b15fcb039af1 + github.com/1Password/onepassword-operator v1.8.0 + github.com/VictoriaMetrics/operator/api v0.0.0-20231101174116-b89ce3b1ecc1 github.com/cert-manager/cert-manager v1.13.2 github.com/cilium/cilium v1.14.2 github.com/crunchydata/postgres-operator v0.0.0-00010101000000-000000000000 + github.com/external-secrets/external-secrets v0.9.8 github.com/prometheus/prometheus v0.47.2 github.com/rook/rook/pkg/apis v0.0.0-20230822134130-9803bd5aa7b5 k8s.io/api v0.28.3 @@ -17,27 +20,32 @@ require ( ) require ( - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0 // indirect - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 // indirect - github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect + cuelabs.dev/go/oci/ociregistry v0.0.0-20231004130125-2c3ad8a6ecd3 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.4.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.2.0 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/NYTimes/gziphandler v1.1.1 // indirect + github.com/VictoriaMetrics/VictoriaMetrics v1.91.3 // indirect + github.com/VictoriaMetrics/fasthttp v1.2.0 // indirect + github.com/VictoriaMetrics/metrics v1.24.0 // indirect + github.com/VictoriaMetrics/metricsql v0.56.2 // indirect github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect github.com/armon/go-metrics v0.4.1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go v1.45.7 // indirect + github.com/aws/aws-sdk-go v1.46.6 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect + github.com/bmatcuk/doublestar/v4 v4.6.0 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect github.com/cilium/proxy v0.0.0-20230623092907-8fddead4e52c // indirect - github.com/cockroachdb/apd/v2 v2.0.2 // indirect - github.com/cockroachdb/apd/v3 v3.2.0 // indirect + github.com/cockroachdb/apd/v3 v3.2.1 // indirect github.com/coreos/go-semver v0.3.1 // indirect github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect @@ -50,18 +58,18 @@ require ( github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/emicklei/proto v1.11.2 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.6.0 // indirect + github.com/evanphx/json-patch/v5 v5.7.0 // indirect github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect github.com/fatih/camelcase v1.0.0 // indirect github.com/fatih/color v1.15.0 // indirect github.com/felixge/httpsnoop v1.0.3 // indirect - github.com/fsnotify/fsnotify v1.6.0 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/fvbommel/sortorder v1.1.0 // indirect github.com/go-errors/errors v1.4.2 // indirect github.com/go-jose/go-jose/v3 v3.0.0 // indirect github.com/go-kit/log v0.2.1 // indirect github.com/go-logfmt/logfmt v0.6.0 // indirect - github.com/go-logr/logr v1.2.4 // indirect + github.com/go-logr/logr v1.3.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-ole/go-ole v1.2.6 // indirect github.com/go-openapi/analysis v0.21.4 // indirect @@ -75,19 +83,17 @@ require ( github.com/go-openapi/swag v0.22.4 // indirect github.com/go-openapi/validate v0.22.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v4 v4.5.0 // indirect - github.com/golang/glog v1.1.1 // indirect + github.com/golang-jwt/jwt/v5 v5.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/btree v1.1.2 // indirect github.com/google/cel-go v0.16.1 // indirect - github.com/google/gnostic v0.6.9 // indirect github.com/google/gnostic-models v0.6.8 // indirect - github.com/google/go-cmp v0.5.9 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/google/uuid v1.3.1 // indirect + github.com/google/uuid v1.4.0 // indirect github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect @@ -99,14 +105,14 @@ require ( github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-retryablehttp v0.7.4 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect - github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect + github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 // indirect github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect - github.com/hashicorp/go-sockaddr v1.0.2 // indirect - github.com/hashicorp/golang-lru v0.6.0 // indirect + github.com/hashicorp/go-sockaddr v1.0.5 // indirect + github.com/hashicorp/golang-lru v1.0.2 // indirect github.com/hashicorp/hcl v1.0.1-vault-5 // indirect github.com/hashicorp/vault v1.13.5 // indirect github.com/hashicorp/vault/api v1.10.0 // indirect - github.com/hashicorp/vault/api/auth/approle v0.4.1 // indirect + github.com/hashicorp/vault/api/auth/approle v0.5.0 // indirect github.com/hashicorp/vault/sdk v0.10.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -127,8 +133,8 @@ require ( github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.19 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect + github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/go-wordwrap v1.0.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect @@ -143,6 +149,7 @@ require ( github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect + github.com/opencontainers/image-spec v1.1.0-rc4 // indirect github.com/openshift/api v0.0.0-20230804173756-26b8597c4de2 // indirect github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect github.com/pelletier/go-toml/v2 v2.0.8 // indirect @@ -153,13 +160,13 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect - github.com/prometheus/client_golang v1.16.0 // indirect - github.com/prometheus/client_model v0.4.0 // indirect - github.com/prometheus/common v0.44.0 // indirect + github.com/prometheus/client_golang v1.17.0 // indirect + github.com/prometheus/client_model v0.5.0 // indirect + github.com/prometheus/common v0.45.0 // indirect github.com/prometheus/common/sigv4 v0.1.0 // indirect - github.com/prometheus/procfs v0.11.1 // indirect + github.com/prometheus/procfs v0.12.0 // indirect github.com/protocolbuffers/txtpbfmt v0.0.0-20230412060525-fa9f017c0ded // indirect - github.com/rogpeppe/go-internal v1.11.0 // indirect + github.com/rogpeppe/go-internal v1.11.1-0.20230926105539-32ae33786ecc // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect github.com/sasha-s/go-deadlock v0.3.1 // indirect @@ -177,6 +184,12 @@ require ( github.com/tetratelabs/wazero v1.0.2 // indirect github.com/tklauser/go-sysconf v0.3.11 // indirect github.com/tklauser/numcpus v0.6.0 // indirect + github.com/valyala/bytebufferpool v1.0.0 // indirect + github.com/valyala/fastjson v1.6.4 // indirect + github.com/valyala/fastrand v1.1.0 // indirect + github.com/valyala/fasttemplate v1.2.2 // indirect + github.com/valyala/histogram v1.2.0 // indirect + github.com/valyala/quicktemplate v1.7.0 // indirect github.com/vishvananda/netlink v1.2.1-beta.2.0.20230621221334-77712cff8739 // indirect github.com/vishvananda/netns v0.0.4 // indirect github.com/xlab/treeprint v1.2.0 // indirect @@ -184,11 +197,10 @@ require ( go.etcd.io/etcd/api/v3 v3.5.9 // indirect go.etcd.io/etcd/client/pkg/v3 v3.5.9 // indirect go.etcd.io/etcd/client/v3 v3.5.9 // indirect - go.mongodb.org/mongo-driver v1.12.0 // indirect + go.mongodb.org/mongo-driver v1.12.1 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0 // indirect go.opentelemetry.io/otel v1.19.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0 // indirect go.opentelemetry.io/otel/metric v1.19.0 // indirect @@ -200,24 +212,24 @@ require ( go.uber.org/dig v1.17.0 // indirect go.uber.org/goleak v1.2.1 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.25.0 // indirect + go.uber.org/zap v1.26.0 // indirect golang.org/x/crypto v0.14.0 // indirect - golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect - golang.org/x/mod v0.12.0 // indirect + golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect + golang.org/x/mod v0.13.0 // indirect golang.org/x/net v0.17.0 // indirect - golang.org/x/oauth2 v0.12.0 // indirect - golang.org/x/sync v0.3.0 // indirect + golang.org/x/oauth2 v0.13.0 // indirect + golang.org/x/sync v0.4.0 // indirect golang.org/x/sys v0.13.0 // indirect golang.org/x/term v0.13.0 // indirect golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.13.0 // indirect + golang.org/x/tools v0.14.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 // indirect - google.golang.org/grpc v1.58.3 // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect + google.golang.org/grpc v1.59.0 // indirect google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect @@ -231,19 +243,19 @@ require ( k8s.io/component-helpers v0.28.3 // indirect k8s.io/klog/v2 v2.100.1 // indirect k8s.io/kms v0.28.3 // indirect - k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect k8s.io/kubectl v0.27.2 // indirect k8s.io/metrics v0.28.3 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.3 // indirect - sigs.k8s.io/controller-runtime v0.16.1 // indirect + sigs.k8s.io/controller-runtime v0.16.3 // indirect sigs.k8s.io/gateway-api v0.8.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect sigs.k8s.io/kustomize/kustomize/v5 v5.0.4-0.20230601165947-6ce0bf390ce3 // indirect sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect - sigs.k8s.io/yaml v1.3.0 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.0 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) replace ( diff --git a/go.sum b/go.sum index f2098af78..621455028 100644 --- a/go.sum +++ b/go.sum @@ -38,9 +38,8 @@ cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34h cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA= cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM= cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I= -cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys= cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY= -cloud.google.com/go v0.110.6 h1:8uYAkj3YHTP/1iwReuHPxLSbdcyc+dSBbzFMrVwDR6Q= +cloud.google.com/go v0.110.8 h1:tyNdfIxjzaWctIiLYOTalaLKZ17SI44SKFW26QbOhME= cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4= cloud.google.com/go/accessapproval v1.5.0/go.mod h1:HFy3tuiGvMdcd/u+Cu5b9NkO1pEICJ46IR82PoUdplw= cloud.google.com/go/accessapproval v1.6.0/go.mod h1:R0EiYnwV5fsRFiKZkPHr6mwyk2wxUJ30nL4j2pcFY2E= @@ -177,7 +176,8 @@ cloud.google.com/go/compute v1.14.0/go.mod h1:YfLtxrj9sU4Yxv+sXzZkyPjEyPBZfXHUvj cloud.google.com/go/compute v1.15.1/go.mod h1:bjjoF/NtFUrkD/urWfdHaKuOPDR5nWIs63rR+SXhcpA= cloud.google.com/go/compute v1.18.0/go.mod h1:1X7yHxec2Ga+Ss6jPyjxRxpu2uu7PLgsOVXvgU0yacs= cloud.google.com/go/compute v1.19.0/go.mod h1:rikpw2y+UMidAe9tISo04EHNOIf42RLYF/q8Bs93scU= -cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= +cloud.google.com/go/compute v1.23.2 h1:nWEMDhgbBkBJjfpVySqU4jgWdc22PLR0o4vEexZHers= +cloud.google.com/go/compute v1.23.2/go.mod h1:JJ0atRC0J/oWYiiVBmsSsrRnh92DhZPG4hFDcR04Rns= cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZEXYonfTBHHFPO/4UU= cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= @@ -316,9 +316,9 @@ cloud.google.com/go/iam v0.7.0/go.mod h1:H5Br8wRaDGNc8XP3keLc4unfUUZeyH3Sfl9XpQE cloud.google.com/go/iam v0.8.0/go.mod h1:lga0/y3iH6CX7sYqypWJ33hf7kkfXJag67naqGESjkE= cloud.google.com/go/iam v0.11.0/go.mod h1:9PiLDanza5D+oWFZiH1uG+RnRCfEGKoyl6yo4cgWZGY= cloud.google.com/go/iam v0.12.0/go.mod h1:knyHGviacl11zrtZUoDuYpDgLjvr28sLQaG0YB2GYAY= -cloud.google.com/go/iam v0.13.0 h1:+CmB+K0J/33d0zSQ9SlFWUeCCEn5XJA0ZMZ3pHE9u8k= cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0= -cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y= +cloud.google.com/go/iam v1.1.4 h1:K6n/GZHFTtEoKT5aUG3l9diPi0VduZNQ1PfdnpkkIFk= +cloud.google.com/go/iam v1.1.4/go.mod h1:l/rg8l1AaA+VFMho/HYx2Vv6xinPSLMF8qfhRPIZ0L8= cloud.google.com/go/iap v1.4.0/go.mod h1:RGFwRJdihTINIe4wZ2iCP0zF/qu18ZwyKxrhMhygBEc= cloud.google.com/go/iap v1.5.0/go.mod h1:UH/CGgKd4KyohZL5Pt0jSKE4m3FR51qg6FKQ/z/Ix9A= cloud.google.com/go/iap v1.6.0/go.mod h1:NSuvI9C/j7UdjGjIde7t7HBz+QTwBcapPE07+sSRcLk= @@ -338,9 +338,9 @@ cloud.google.com/go/kms v1.6.0/go.mod h1:Jjy850yySiasBUDi6KFUwUv2n1+o7QZFyuUJg6O cloud.google.com/go/kms v1.8.0/go.mod h1:4xFEhYFqvW+4VMELtZyxomGSYtSQKzM178ylFW4jMAg= cloud.google.com/go/kms v1.9.0/go.mod h1:qb1tPTgfF9RQP8e1wq4cLFErVuTJv7UsSC915J8dh3w= cloud.google.com/go/kms v1.10.0/go.mod h1:ng3KTUtQQU9bPX3+QGLsflZIHlkbn8amFAMY63m8d24= -cloud.google.com/go/kms v1.10.1 h1:7hm1bRqGCA1GBRQUrp831TwJ9TWhP+tvLuP497CQS2g= cloud.google.com/go/kms v1.10.1/go.mod h1:rIWk/TryCkR59GMC3YtHtXeLzd634lBbKenvyySAyYI= -cloud.google.com/go/kms v1.15.0 h1:xYl5WEaSekKYN5gGRyhjvZKM22GVBBCzegGNVPy+aIs= +cloud.google.com/go/kms v1.15.3 h1:RYsbxTRmk91ydKCzekI2YjryO4c5Y2M80Zwcs9/D/cI= +cloud.google.com/go/kms v1.15.3/go.mod h1:AJdXqHxS2GlPyduM99s9iGqi2nwbviBbhV/hdmt4iOQ= cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE= @@ -377,9 +377,9 @@ cloud.google.com/go/monitoring v1.2.0/go.mod h1:tE8I08OzjWmXLhCopnPaUDpfGOEJOonf cloud.google.com/go/monitoring v1.7.0/go.mod h1:HpYse6kkGo//7p6sT0wsIC6IBDET0RhIsnmlA53dvEk= cloud.google.com/go/monitoring v1.8.0/go.mod h1:E7PtoMJ1kQXWxPjB6mv2fhC5/15jInuulFdYYtlcvT4= cloud.google.com/go/monitoring v1.12.0/go.mod h1:yx8Jj2fZNEkL/GYZyTLS4ZtZEZN8WtDEiEqG4kLK50w= -cloud.google.com/go/monitoring v1.13.0 h1:2qsrgXGVoRXpP7otZ14eE1I568zAa92sJSDPyOJvwjM= cloud.google.com/go/monitoring v1.13.0/go.mod h1:k2yMBAB1H9JT/QETjNkgdCGD9bPF712XiLTVr+cBrpw= -cloud.google.com/go/monitoring v1.15.1 h1:65JhLMd+JiYnXr6j5Z63dUYCuOg770p8a/VC+gil/58= +cloud.google.com/go/monitoring v1.16.1 h1:CTklIuUkS5nCricGojPwdkSgPsCTX2HmYTxFDg+UvpU= +cloud.google.com/go/monitoring v1.16.1/go.mod h1:6HsxddR+3y9j+o/cMJH6q/KJ/CBTvM/38L/1m7bTRJ4= cloud.google.com/go/networkconnectivity v1.4.0/go.mod h1:nOl7YL8odKyAOtzNX73/M5/mGZgqqMeryi6UPZTk/rA= cloud.google.com/go/networkconnectivity v1.5.0/go.mod h1:3GzqJx7uhtlM3kln0+x5wyFvuVH1pIBJjhCpjzSt75o= cloud.google.com/go/networkconnectivity v1.6.0/go.mod h1:OJOoEXW+0LAxHh89nXd64uGG+FbQoeH8DtxCHVOMlaM= @@ -610,14 +610,17 @@ cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vf cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA= cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw= code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f/go.mod h1:sk5LnIjB/nIEU7yP5sDQExVm62wu0pBh3yrElngUisI= -cuelang.org/go v0.5.0 h1:D6N0UgTGJCOxFKU8RU+qYvavKNsVc/+ZobmifStVJzU= -cuelang.org/go v0.5.0/go.mod h1:okjJBHFQFer+a41sAe2SaGm1glWS8oEb6CmJvn5Zdws= -cuelang.org/go v0.6.0 h1:dJhgKCog+FEZt7OwAYV1R+o/RZPmE8aqFoptmxSWyr8= -cuelang.org/go v0.6.0/go.mod h1:9CxOX8aawrr3BgSdqPj7V0RYoXo7XIb+yDFC6uESrOQ= +cuelabs.dev/go/oci/ociregistry v0.0.0-20231004130125-2c3ad8a6ecd3 h1:jJJsm3hgxosEoI5wXrwt8mv21j23vInE3owbSYKhR2c= +cuelabs.dev/go/oci/ociregistry v0.0.0-20231004130125-2c3ad8a6ecd3/go.mod h1:oqwWmDcccWVB2yC2eCHFNrQR44/AVB7gHOwtBsWMo0g= +cuelang.org/go v0.6.1-0.20231104111545-b15fcb039af1 h1:UpdGCcg5hXq0r5U5ULt+/qoFQNT73spjVzmzZoC2BT0= +cuelang.org/go v0.6.1-0.20231104111545-b15fcb039af1/go.mod h1:Z1tMydta4L9wPdYmu31GL5pfkGCeQTi3oeP0siVFHvI= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8= git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc= +github.com/1Password/onepassword-operator v1.8.0 h1:ve04TAod75BSjB5aHTaPJsWsczywZ4PrW7jjvwkJoJs= +github.com/1Password/onepassword-operator v1.8.0/go.mod h1:vfsVn78YM2axgNvpfr9KOQuRyqGTB0Q/Yh9aytSqzHI= github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0= github.com/Azure/azure-pipeline-go v0.2.3/go.mod h1:x841ezTBIMG6O3lAcl8ATHnsOPVl2bqk7S3ta6S6u4k= github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v44.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= @@ -625,19 +628,16 @@ github.com/Azure/azure-sdk-for-go v58.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9mo github.com/Azure/azure-sdk-for-go v61.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v62.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= +github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.1 h1:gVXuXcWd1i4C2Ruxe321aU+IKGaStvGB/S90PUPB/W8= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.1/go.mod h1:DffdKW9RFqa5VgmsjUOsS7UE7eiA5iAvYUs63bhKQ0M= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0 h1:8q4SaHjFsClSvuVne0ID/5Ka8u3fcIHyqkLjcFpNRHQ= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 h1:9kDVnTz3vbfweTqAUmk/a/pH5pWFCHtvRpHYC0G/dcA= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0/go.mod h1:3Ug6Qzto9anB6mGlEdgYMDF5zHQ+wwhEaYR4s17PHMw= github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1 h1:T8quHYlUGyb/oqtSTwqlCr1ilJHrDv+ZtpSfo+hm1BU= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1/go.mod h1:gLa1CL2RNE4s7M3yopJ/p0iq5DdY6Yv5ZUt9MTRZOQM= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 h1:BMAjVKJM0U/CYF27gA0ZMmXGkOcvfFtD0oHVZ1TIPRI= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0/go.mod h1:1fXstnBMas5kzG+S3q8UoJcmyU6nUeunJcMDHcRYHhs= github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.4.0 h1:TuEMD+E+1aTjjLICGQOW6vLe8UWES7kopac9mUXL56Y= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.4.0/go.mod h1:s4kgfzA0covAXNicZHDMN58jExvcng2mC/DepXiF1EI= github.com/Azure/azure-storage-blob-go v0.14.0/go.mod h1:SMqIBi+SuiQH32bvyjngEewEeXoPfKMgWlBDaYf6fck= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= @@ -653,6 +653,7 @@ github.com/Azure/go-autorest/autorest v0.11.21/go.mod h1:Do/yuMSW/13ayUkcVREpsMH github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw= +github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs= github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= @@ -662,14 +663,17 @@ github.com/Azure/go-autorest/autorest/adal v0.9.14/go.mod h1:W/MM4U6nLxnIskrw4Uw github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/adal v0.9.23 h1:Yepx8CvFxwNKpH6ja7RZ+sKX+DWYNldbLiALMC3BTz8= +github.com/Azure/go-autorest/autorest/adal v0.9.23/go.mod h1:5pcMqFkdPhviJdlEy3kC/v1ZLnQl0MH6XA5YCcMhy4c= github.com/Azure/go-autorest/autorest/azure/auth v0.5.0/go.mod h1:QRTvSZQpxqm8mSErhnbI+tANIBAKP7B+UIE2z4ypUO0= github.com/Azure/go-autorest/autorest/azure/auth v0.5.8/go.mod h1:kxyKZTSfKh8OVFWPAgOgQ/frrJgeYQJPyR5fLFmXko4= github.com/Azure/go-autorest/autorest/azure/auth v0.5.11/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s= github.com/Azure/go-autorest/autorest/azure/cli v0.4.2/go.mod h1:7qkJkT+j6b+hIpzMOwPChJhTqS8VbsqqgULzMNRugoM= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 h1:0W/yGmFdTIT77fvdlGZ0LMISoLHFJ7Tx4U0yeB+uFs4= github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0= github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= @@ -692,14 +696,11 @@ github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbt github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1 h1:oPdPEZFSbl7oSPEAIPMPBMUmiL+mqgzBJwM/9qYcwNg= -github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1/go.mod h1:4qFor3D/HDsvBME35Xy9rwW9DecL+M2sNw1ybjPtwA0= -github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY= -github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.0 h1:hVeq+yCyUi+MsoO/CU95yqCIcdzra5ovzk8Q2BBpV2M= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.0/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.2.0 h1:Rt8g24XnyGTyglgET/PRUNlrUeu9F5L+7FilkXfZgs0= github.com/BurntSushi/toml v1.2.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= -github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4= @@ -717,8 +718,12 @@ github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF0 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= +github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= +github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZCSYp4Z0m2dk6cEM60= github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= +github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= +github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= @@ -731,6 +736,7 @@ github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpz github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg= github.com/Microsoft/hcsshim v0.8.7-0.20190325164909-8abdbb8205e4/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg= github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ= @@ -749,12 +755,24 @@ github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMo github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec h1:vV3RryLxt42+ZIVOFbYJCH1jsZNTNmj2NYru5zfx+4E= +github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/SAP/go-hdb v0.14.1/go.mod h1:7fdQLVC2lER3urZLjZCm0AuMQfApof92n3aylBPEkMo= github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a/go.mod h1:D73UAuEPckrDorYZdtlCu2ySOLuPB5W4rhIkmmc/XbI= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= +github.com/VictoriaMetrics/VictoriaMetrics v1.91.3 h1:mInejMsp7W3z4lrEzO4uQy59WnxIhMqwCeiogAId+jU= +github.com/VictoriaMetrics/VictoriaMetrics v1.91.3/go.mod h1:iDxknwOOdiyR+rBuv20cBVkRLA1jHhQ37eTS29segRw= +github.com/VictoriaMetrics/fasthttp v1.2.0 h1:nd9Wng4DlNtaI27WlYh5mGXCJOmee/2c2blTJwfyU9I= +github.com/VictoriaMetrics/fasthttp v1.2.0/go.mod h1:zv5YSmasAoSyv8sBVexfArzFDIGGTN4TfCKAtAw7IfE= +github.com/VictoriaMetrics/metrics v1.18.1/go.mod h1:ArjwVz7WpgpegX/JpB0zpNF2h2232kErkEnzH1sxMmA= +github.com/VictoriaMetrics/metrics v1.24.0 h1:ILavebReOjYctAGY5QU2F9X0MYvkcrG3aEn2RKa1Zkw= +github.com/VictoriaMetrics/metrics v1.24.0/go.mod h1:eFT25kvsTidQFHb6U0oa0rTrDRdz4xTYjpL8+UPohys= +github.com/VictoriaMetrics/metricsql v0.56.2 h1:quBAbYOlWMhmdgzFSCr1yjtVcdZYZrVQJ7nR9zor7ZM= +github.com/VictoriaMetrics/metricsql v0.56.2/go.mod h1:6pP1ZeLVJHqJrHlF6Ij3gmpQIznSsgktEcZgsAWYel0= +github.com/VictoriaMetrics/operator/api v0.0.0-20231101174116-b89ce3b1ecc1 h1:CztZZXl0HpVb7uHOk6h0lpidOctRqZ0mG2M4C4uNuYw= +github.com/VictoriaMetrics/operator/api v0.0.0-20231101174116-b89ce3b1ecc1/go.mod h1:9xOZrc3kjanpgasau9iMeUM6vYIm37bdTpBRYB0nccY= github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af/go.mod h1:5Jv4cbFiHJMsVxt52+i0Ha45fjshj6wxYr1r19tB9bw= github.com/aerospike/aerospike-client-go/v5 v5.6.0/go.mod h1:rJ/KpmClE7kiBPfvAPrGw9WuNOiz8v2uKbQaUyYPXtI= github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= @@ -776,13 +794,14 @@ github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190412020505-60e2075261b6/go.mod github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f/go.mod h1:myCDvQSzCW+wB1WAlocEru4wMGJxy+vlxHdhegi1CDQ= github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499/go.mod h1:RcDobYh8k5VP6TNybz9m++gL3ijVI5wueVr0EM10VsU= github.com/aliyun/alibaba-cloud-sdk-go v1.62.392 h1:AZNUoPBzLYnwGpUYWIvDE+DysNzuwABiQeN3uYSN/N8= +github.com/aliyun/alibaba-cloud-sdk-go v1.62.392/go.mod h1:Api2AkmMgGaSUAhmk76oaFObkoeCPc/bKAqcyplPODs= github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= +github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= +github.com/andybalholm/brotli v1.0.3/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= -github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220418222510-f25a4f6275ed/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= -github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18= github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= github.com/apache/arrow/go/arrow v0.0.0-20210818145353-234c94e4ce64/go.mod h1:2qMFB56yOP3KzkB3PbYZ4AlUFg3a88F67TIx5lB/WwY= @@ -823,14 +842,8 @@ github.com/aws/aws-sdk-go v1.38.35/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2z github.com/aws/aws-sdk-go v1.43.8/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/aws/aws-sdk-go v1.44.95/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/aws/aws-sdk-go v1.44.164/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= -github.com/aws/aws-sdk-go v1.44.289 h1:5CVEjiHFvdiVlKPBzv0rjG4zH/21W/onT18R5AH/qx0= -github.com/aws/aws-sdk-go v1.44.289/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= -github.com/aws/aws-sdk-go v1.44.302 h1:ST3ko6GrJKn3Xi+nAvxjG3uk/V1pW8KC52WLeIxqqNk= -github.com/aws/aws-sdk-go v1.44.302/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= -github.com/aws/aws-sdk-go v1.44.322 h1:7JfwifGRGQMHd99PvfXqxBaZsjuRaOF6e3X9zRx2uYo= -github.com/aws/aws-sdk-go v1.44.322/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= -github.com/aws/aws-sdk-go v1.45.7 h1:k4QsvWZhm8409TYeRuTV1P6+j3lLKoe+giFA/j3VAps= -github.com/aws/aws-sdk-go v1.45.7/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= +github.com/aws/aws-sdk-go v1.46.6 h1:6wFnNC9hETIZLMf6SOTN7IcclrOGwp/n9SLp8Pjt6E8= +github.com/aws/aws-sdk-go v1.46.6/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/aws/aws-sdk-go-v2 v1.8.0/go.mod h1:xEFuWz+3TYdlPRuo+CqATbeDWIWyaT5uAPwPaWtgse0= github.com/aws/aws-sdk-go-v2/config v1.6.0/go.mod h1:TNtBVmka80lRPk5+S9ZqVfFszOQAGJJ9KbT3EM3CHNU= github.com/aws/aws-sdk-go-v2/credentials v1.3.2/go.mod h1:PACKuTJdt6AlXvEq8rFI4eDmoqDFC5DpVKQbWysaDgM= @@ -847,9 +860,7 @@ github.com/aws/smithy-go v1.7.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAm github.com/axiomhq/hyperloglog v0.0.0-20220105174342-98591331716a h1:eqjiAL3qooftPm8b9C1GsSSRcmlw7iOva8vdBTmV2PY= github.com/axiomhq/hyperloglog v0.0.0-20220105174342-98591331716a/go.mod h1:2stgcRjl6QmW+gU2h5E7BQXg4HU0gzxKWDuT5HviN9s= github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc= -github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= -github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= @@ -864,16 +875,16 @@ github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJm github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/bmatcuk/doublestar/v4 v4.6.0 h1:HTuxyug8GyFbRkrffIpzNCSK4luc0TY3wzXvzIZhEXc= +github.com/bmatcuk/doublestar/v4 v4.6.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= -github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8= github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50= github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE= @@ -891,18 +902,8 @@ github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= github.com/centrify/cloud-golang-sdk v0.0.0-20210923165758-a8c48d049166/go.mod h1:c/gmvyN8lq6lYtHvrqqoXrg2xyN65N0mBmbikxFWXNE= -github.com/cert-manager/cert-manager v1.12.2 h1:lJ7Xn0VhmBA4uOZb5dlSZzepu38ez73okOqgE24x8YM= -github.com/cert-manager/cert-manager v1.12.2/go.mod h1:ql0msU88JCcQSceN+PFjEY8U+AMe13y06vO2klJk8bs= -github.com/cert-manager/cert-manager v1.12.3 h1:3gZkP7hHI2CjgX5qZ1Tm98YbHVXB2NGAZPVbOLb3AjU= -github.com/cert-manager/cert-manager v1.12.3/go.mod h1:/RYHUvK9cxuU5dbRyhb7g6am9jCcZc8huF3AnADE+nA= -github.com/cert-manager/cert-manager v1.12.4 h1:HI38vtBYTG8b2JHDF65+Dbbd09kZps6bglIAlijoj1g= -github.com/cert-manager/cert-manager v1.12.4/go.mod h1:/RYHUvK9cxuU5dbRyhb7g6am9jCcZc8huF3AnADE+nA= -github.com/cert-manager/cert-manager v1.13.0 h1:P9rWfCgzr2wjpQcZtG5iWdQsOJgpHNwR2WyUNDfs47w= -github.com/cert-manager/cert-manager v1.13.0/go.mod h1:AHwJ0l63L2EoD2G5qz3blEd+8boZcqgWf6dBFA4kZbc= -github.com/cert-manager/cert-manager v1.13.1 h1:hRST6l3G/Y3IDnn3H4zb6unDrZmtTPqaaz3TTGgfXNE= -github.com/cert-manager/cert-manager v1.13.1/go.mod h1:pJe/sqGZ6yX0kYcsAv3e2EQH+xn8Ag8WOLGl/qYWAps= -github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= -github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= +github.com/cert-manager/cert-manager v1.13.2 h1:LG8+OLvxtc49CSyfjW7zHSyvlt7JVaHgRGyhfdvPpkk= +github.com/cert-manager/cert-manager v1.13.2/go.mod h1:AdfSU8muS+bj3C46YaD1VrlpXh672z5MeW/k1k5Sl1w= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= @@ -918,6 +919,7 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/cilium/checkmate v1.0.3 h1:CQC5eOmlAZeEjPrVZY3ZwEBH64lHlx9mXYdUehEwI5w= +github.com/cilium/checkmate v1.0.3/go.mod h1:KiBTasf39/F2hf2yAmHw21YFl3hcEyP4Yk6filxc12A= github.com/cilium/cilium v1.14.2 h1:NVz14uSoKB0Y37iFveMQGYH03ZflEuZegmQWpTMf5TM= github.com/cilium/cilium v1.14.2/go.mod h1:ghd9LkTSbRPtJal0Bsdq1ise+j5Ezy14xgaM2o3XLCI= github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg= @@ -934,6 +936,7 @@ github.com/circonus-labs/circonusllhist v0.1.3 h1:TJH+oke8D16535+jHExHj4nQvzlZrj github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= +github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= github.com/cloudfoundry-community/go-cfclient v0.0.0-20210823134051-721f0e559306/go.mod h1:0FdHblxw7g3M2PPICOw9i8YZOHP9dZTHbJUtoxL7Z/E= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -948,17 +951,12 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k= -github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I= +github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= -github.com/cockroachdb/apd/v2 v2.0.2 h1:weh8u7Cneje73dDh+2tEVLUvyBc89iwepWCD8b8034E= -github.com/cockroachdb/apd/v2 v2.0.2/go.mod h1:DDxRlzC2lo3/vSlmSoS7JkqbbrARPuFOGr0B9pvN3Gw= -github.com/cockroachdb/apd/v3 v3.2.0 h1:79kHCn4tO0VGu3W0WujYrMjBDk8a2H4KEUYcXf7whcg= -github.com/cockroachdb/apd/v3 v3.2.0/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc= +github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg= +github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc= github.com/cockroachdb/cockroach-go v0.0.0-20181001143604-e0a95dfd547c/go.mod h1:XGLbWH/ujMcbPbhZq52Nv6UrCghb1yGn//133kEsvDk= -github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= github.com/cockroachdb/datadriven v1.0.2/go.mod h1:a9RdTaap04u637JoCzcUoIcDmvwSUtcUFtT/C3kJlTU= -github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= -github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI= github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM= github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE= github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU= @@ -1060,7 +1058,6 @@ github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= -github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= github.com/coreos/go-oidc/v3 v3.1.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= @@ -1076,7 +1073,6 @@ github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7 github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/coreos/go-systemd/v22 v22.4.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= @@ -1102,11 +1098,6 @@ github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1S github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s= github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8= github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I= -github.com/dave/dst v0.26.2/go.mod h1:UMDJuIRPfyUCC78eFuB+SV/WI8oDeyFDvM/JR6NI3IU= -github.com/dave/gopackages v0.0.0-20170318123100-46e7023ec56e/go.mod h1:i00+b/gKdIDIxuLDFob7ustLAVqhsZRk2qVZrArELGQ= -github.com/dave/jennifer v1.2.0/go.mod h1:fIb+770HOpJ2fmN9EPPKOqm1vMGhB+TwXKMZhrIygKg= -github.com/dave/kerr v0.0.0-20170318121727-bc25dd6abe8e/go.mod h1:qZqlPyPvfsDJt+3wHJ1EvSXDuVjFTK0j2p/ca+gtsb8= -github.com/dave/rebecca v0.9.1/go.mod h1:N6XYdMD/OKw3lkF3ywh8Z6wPGuwNFDNtWYEMFWEmXBA= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -1126,6 +1117,7 @@ github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc/go.mod h1:c9O8+fp github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/digitalocean/godo v1.7.5/go.mod h1:h6faOIcZ8lWIwNQ+DN7b3CgX4Kwby5T+nbpNqkUIozU= github.com/digitalocean/godo v1.102.1 h1:BrNePwIXjQWjOJXVTBqkURMjm70BRR0qXbRKfHNBF24= +github.com/digitalocean/godo v1.102.1/go.mod h1:SaUYccN7r+CO1QtsbXGypAsgobDrmSfVMJESEfXgoEg= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= @@ -1149,6 +1141,7 @@ github.com/docker/docker v20.10.9+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05b github.com/docker/docker v20.10.10+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v20.10.18+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v24.0.5+incompatible h1:WmgcE4fxyI6EEXxBRxsHnZXrO1pQ3smi0k/jho4HLeY= +github.com/docker/docker v24.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= @@ -1169,7 +1162,6 @@ github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdf github.com/duosecurity/duo_api_golang v0.0.0-20190308151101-6c680f768e74 h1:2MIhn2R6oXQbgW5yHfS+d6YqyMfXiu2L55rFZC4UD/M= github.com/duosecurity/duo_api_golang v0.0.0-20190308151101-6c680f768e74/go.mod h1:UqXY1lYT/ERa4OEAywUqdok1T4RCRdArkhic1Opuavo= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= @@ -1180,8 +1172,6 @@ github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/emicklei/go-restful/v3 v3.10.2 h1:hIovbnmBTLjHXkqEBUz3HGpXZdM7ZrE9fJIZIqlJLqE= -github.com/emicklei/go-restful/v3 v3.10.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emicklei/proto v1.11.2 h1:DiIeyTJ+gPSyJI+RIAqvuTeKb0tLUmaGXbYg6aFKsnE= @@ -1196,20 +1186,25 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.m github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/go-control-plane v0.10.3/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34= -github.com/envoyproxy/go-control-plane v0.11.1-0.20230524094728-9239064ad72f h1:7T++XKzy4xg7PKy+bM+Sa9/oe1OC88yz2hXQUISoXfA= +github.com/envoyproxy/go-control-plane v0.11.1 h1:wSUXTlLfiAQRWs2F+p+EKOY9rUyis1MyGqJ2DIk5HpM= +github.com/envoyproxy/go-control-plane v0.11.1/go.mod h1:uhMcXKCQMEJHiAb0w+YGefQLaTEw+YhGluxZkrTmD0g= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo= github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w= -github.com/envoyproxy/protoc-gen-validate v1.0.1 h1:kt9FtLiooDc0vbwTLhdg3dyNX1K9Qwa1EK9LcD4jVUQ= +github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA= +github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.5.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= -github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= +github.com/evanphx/json-patch/v5 v5.7.0 h1:nJqP7uwL84RJInrohHfW0Fx3awjbm8qZeFv0nW9SYGc= +github.com/evanphx/json-patch/v5 v5.7.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= +github.com/external-secrets/external-secrets v0.9.8 h1:5Oqy6WkWHpR3rTC8h+m698yItXMyakHFViLXd3pCq3w= +github.com/external-secrets/external-secrets v0.9.8/go.mod h1:zUzPeH6vR7IJX4bJ0JnGJ6Znz4C2KU9sITuom7beHPM= github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8= github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= @@ -1221,7 +1216,6 @@ github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga github.com/favadi/protoc-go-inject-tag v1.3.0/go.mod h1:SSkUBgfqw2IJ2p7NPNKWk0Idwxt/qIt2LQgFPUgRGtc= github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0= github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= @@ -1229,14 +1223,15 @@ github.com/form3tech-oss/jwt-go v3.2.5+incompatible/go.mod h1:pbq4aXjuKjdthFRnoD github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU= -github.com/frankban/quicktest v1.14.2 h1:SPb1KFFmM+ybpEjPUhCCkZOM5xlovT5UbrMvWnXyBns= github.com/frankban/quicktest v1.14.2/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps= github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY= +github.com/frankban/quicktest v1.14.4/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= github.com/fvbommel/sortorder v1.1.0 h1:fUmoe+HLsBTctBDoaBwpQo5N+nrCp8g/BjKb/6ZQmYw= github.com/fvbommel/sortorder v1.1.0/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0= @@ -1244,7 +1239,6 @@ github.com/gabriel-vasile/mimetype v1.3.1/go.mod h1:fA8fi6KUiG7MgQQ+mEWotXoEOvmx github.com/gammazero/deque v0.0.0-20190130191400-2afb3858e9c7/go.mod h1:GeIq9qoE43YdGnDXURnmKTnGg15pQz4mYkXSTChbneI= github.com/gammazero/workerpool v0.0.0-20190406235159-88d534f22b56/go.mod h1:w9RqFVO2BM3xwWEcAB8Fwp0OviTBBEiRmSBDfbXnd3w= github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY= -github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I= github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= @@ -1292,13 +1286,15 @@ github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTg github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk= github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= +github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8= github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= @@ -1330,7 +1326,6 @@ github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwds github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ= github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA= @@ -1375,7 +1370,10 @@ github.com/go-openapi/spec v0.19.15/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFu github.com/go-openapi/spec v0.20.0/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU= github.com/go-openapi/spec v0.20.1/go.mod h1:93x7oh+d+FQsmsieroS4cmR3u0p/ywH649a3qwC9OsQ= github.com/go-openapi/spec v0.20.3/go.mod h1:gG4F8wdEDN+YPBMVnzE85Rbhf+Th2DTvA9nFPQ5AYEg= -github.com/go-openapi/spec v0.20.8 h1:ubHmXNY3FCIOinT8RNrrPfGc9t7I1qhPtdOGoG2AxRU= +github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7FOEWeq8I= +github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= +github.com/go-openapi/spec v0.20.9 h1:xnlYNQAwKd2VQRRfwTEI0DcK+2cbuvI/0c7jx3gA8/8= +github.com/go-openapi/spec v0.20.9/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY= @@ -1385,7 +1383,11 @@ github.com/go-openapi/strfmt v0.19.4/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk= github.com/go-openapi/strfmt v0.19.11/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= github.com/go-openapi/strfmt v0.20.0/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= +github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg= +github.com/go-openapi/strfmt v0.21.1/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k= +github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg= github.com/go-openapi/strfmt v0.21.7 h1:rspiXgNWgeUzhjo1YU01do6qsahtJNByjLVbPLNHb8k= +github.com/go-openapi/strfmt v0.21.7/go.mod h1:adeGTkxE44sPyLk0JV235VQAO/ZXUr8KAzYjclFs3ew= github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= @@ -1395,6 +1397,8 @@ github.com/go-openapi/swag v0.19.9/go.mod h1:ao+8BpOPyKdpQz3AOJfbeEVpLmWAvlT1IfT github.com/go-openapi/swag v0.19.12/go.mod h1:eFdyEBkTdoAf/9RXBvj4cr1nH7GD8Kzo5HTt47gr72M= github.com/go-openapi/swag v0.19.13/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU= github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= @@ -1407,11 +1411,15 @@ github.com/go-openapi/validate v0.19.15/go.mod h1:tbn/fdOwYHgrhPBzidZfJC2MIVvs9G github.com/go-openapi/validate v0.20.1/go.mod h1:b60iJT+xNNLfaQJUqLI7946tYiFEOuE9E4k54HpKcJ0= github.com/go-openapi/validate v0.20.2/go.mod h1:e7OJoKNgd0twXZwIn0A43tHbvIcr/rZIVCbJBpTUoY0= github.com/go-openapi/validate v0.22.1 h1:G+c2ub6q47kfX1sOBLwIQwzBVt8qmOAARyo/9Fqs9NU= +github.com/go-openapi/validate v0.22.1/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg= github.com/go-ozzo/ozzo-validation v3.6.0+incompatible h1:msy24VGS42fKO9K1vLz82/GeYW1cILu7Nuuj1N3BBkE= github.com/go-ozzo/ozzo-validation v3.6.0+incompatible/go.mod h1:gsEKFIVnabGBt6mXmxK0MoFy+cZoTJY6mu5Ll3LVLBU= github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M= github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M= +github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI= +github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY= +github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= @@ -1424,7 +1432,9 @@ github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3a github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= +github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/go-zookeeper/zk v1.0.3 h1:7M2kwOsc//9VeeFiPtf+uSJlVpU66x9Ba5+8XK7/TDg= +github.com/go-zookeeper/zk v1.0.3/go.mod h1:nOB03cncLtlp4t+UAkGSV+9beXP/akpekBwL+UX1Qcw= github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0= github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY= github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg= @@ -1473,13 +1483,15 @@ github.com/golang-jwt/jwt/v4 v4.3.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= +github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= -github.com/golang/glog v1.1.1 h1:jxpi2eWoU84wbX9iIEyAeeoac3FLuifZpY9tcNUD9kw= -github.com/golang/glog v1.1.1/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= +github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= +github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= github.com/golang/groupcache v0.0.0-20180513044358-24b0969c4cb7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -1530,18 +1542,11 @@ github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/cel-go v0.12.6/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw= -github.com/google/cel-go v0.15.2 h1:jX8b/sSNoE1JBaxLAVDb+rTuEk9F7+Yd8UVKWjoz7SU= -github.com/google/cel-go v0.15.2/go.mod h1:YzWEoI07MC/a/wj9in8GeVatqfypkldgBlwXh9bCwqY= -github.com/google/cel-go v0.16.0 h1:DG9YQ8nFCFXAs/FDDwBxmL1tpKNrdlGUM9U3537bX/Y= -github.com/google/cel-go v0.16.0/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= github.com/google/cel-go v0.16.1 h1:3hZfSNiAU3KOiNtxuFXVp5WFy4hf/Ly3Sa4/7F8SXNo= github.com/google/cel-go v0.16.1/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= github.com/google/flatbuffers v2.0.0+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= -github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0= -github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -1558,8 +1563,9 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0= github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ= github.com/google/go-metrics-stackdriver v0.2.0 h1:rbs2sxHAPn2OtUj9JdR/Gij1YKGl0BTVD0augB+HEjE= @@ -1577,7 +1583,6 @@ github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIG github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= -github.com/google/pprof v0.0.0-20181127221834-b4f47329b966/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -1594,8 +1599,11 @@ github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20230602150820-91b7bce49751 h1:hR7/MlvK23p6+lIw9SN1TigNLn9ZnF3W4SYRKq2gAHs= +github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b h1:RMpPgZTSApbPf7xaVel+QkoGPRLFLrwFO89uDUHEGf0= +github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= +github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/tink/go v1.6.1/go.mod h1:IGW53kTgag+st5yPhKKwJ6u2l+SSp5/v9XF7spovjlY= @@ -1603,16 +1611,16 @@ github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= -github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= +github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg= github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= -github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= +github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= @@ -1623,15 +1631,17 @@ github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo= github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8= -github.com/googleapis/gax-go/v2 v2.7.1 h1:gF4c0zjUP2H/s/hEGyLA3I0fA2ZWjzYiONAD6cvPr8A= github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI= +github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= +github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= github.com/googleapis/gnostic v0.2.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= -github.com/gophercloud/gophercloud v1.4.0 h1:RqEu43vaX0lb0LanZr5BylK5ICVxjpFFoc0sxivyuHU= +github.com/gophercloud/gophercloud v1.5.0 h1:cDN6XFCLKiiqvYpjQLq9AiM7RDRbIC9450WpPH+yvXo= +github.com/gophercloud/gophercloud v1.5.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ= github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= @@ -1659,8 +1669,6 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 h1:gDLXvp5S9izjldquuoAhDzccbskOL6tDC5jMSyx3zxE= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2/go.mod h1:7pdNwVWBBHGiCxa9lAszqCJMbfTISJ7oMftp8+UGV08= github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI= @@ -1670,16 +1678,19 @@ github.com/hashicorp/cap v0.2.1-0.20220727210936-60cd1534e220/go.mod h1:zb3VvIFA github.com/hashicorp/consul-template v0.29.5/go.mod h1:SZGBPz/t0JaBwMOqM6q/mG66cBRA8IeDUjOwjO0Pa5M= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/api v1.15.2/go.mod h1:v6nvB10borjOuIwNRZYPZiHKrTM/AyrGtd0WVVodKM8= -github.com/hashicorp/consul/api v1.21.0 h1:WMR2JiyuaQWRAMFaOGiYfY4Q4HRpyYRe/oYQofjyduM= +github.com/hashicorp/consul/api v1.22.0 h1:ydEvDooB/A0c/xpsBd8GSt7P2/zYPBui4KrNip0xGjE= +github.com/hashicorp/consul/api v1.22.0/go.mod h1:zHpYgZ7TeYqS6zaszjwSt128OwESRpnhU9aGa6ue3Eg= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= github.com/hashicorp/consul/sdk v0.11.0/go.mod h1:yPkX5Q6CsxTFMjQQDJwzeNmUUF5NUGGbrDsv9wTb8cw= -github.com/hashicorp/cronexpr v1.1.1 h1:NJZDd87hGXjoZBdvyCF9mX4DCq5Wy7+A/w+A7q0wn6c= github.com/hashicorp/cronexpr v1.1.1/go.mod h1:P4wA0KBl9C5q2hABiMO7cp6jcIg96CDh1Efb3g1PWA4= +github.com/hashicorp/cronexpr v1.1.2 h1:wG/ZYIKT+RT3QkOdgYc+xsKWVRgnxJ1OJtjjy84fJ9A= +github.com/hashicorp/cronexpr v1.1.2/go.mod h1:P4wA0KBl9C5q2hABiMO7cp6jcIg96CDh1Efb3g1PWA4= github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/eventlogger v0.1.1 h1:zyCjxsy7KunFsMPZKU5PnwWEakSrp1zjj2vPFmrDaeo= +github.com/hashicorp/eventlogger v0.1.1/go.mod h1://CHt6/j+Q2lc0NlUB5af4aS2M0c0aVBg9/JfcpAyhM= github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= @@ -1716,22 +1727,30 @@ github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0/go.mod h1:xvb32K2keAc+R8D github.com/hashicorp/go-kms-wrapping/v2 v2.0.0/go.mod h1:H+TfVXu/Eyi6Ccs4EoT8pa3gR5lRh12sw4AOq6XkXCg= github.com/hashicorp/go-kms-wrapping/v2 v2.0.5/go.mod h1:sDQAfwJGv25uGPZA04x87ERglCG6avnRcBT9wYoMII8= github.com/hashicorp/go-kms-wrapping/v2 v2.0.8 h1:9Q2lu1YbbmiAgvYZ7Pr31RdlVonUpX+mmDL7Z7qTA2U= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.8/go.mod h1:qTCjxGig/kjuj3hk1z8pOUrzbse/GxB1tGfbrq8tGJg= github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4/go.mod h1:dDxt3GXi5QONVHYrJi2+EjsJLCUs59FktZQA8ZMnm+U= github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.7-1 h1:ZV26VJYcITBom0QqYSUOIj4HOHCVPEFjLqjxyXV/AbA= +github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.7-1/go.mod h1:b99cDSA+OzcyRoBZroSf174/ss/e6gUuS45wue9ZQfc= github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1 h1:ydUCtmr8f9F+mHZ1iCsvzqFTXqNVpewX3s9zcYipMKI= github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1/go.mod h1:Sl/ffzV57UAyjtSg1h5Km0rN5+dtzZJm1CUztkoCW2c= github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.1/go.mod h1:3D5UB9fjot4oUTYGQ5gGmhLJKreyLZeI0XB+NxcLTKs= github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.7 h1:E3eEWpkofgPNrYyYznfS1+drq4/jFcqHQVNcL7WhUCo= +github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.7/go.mod h1:j5vefRoguQUG7iM4reS/hKIZssU1lZRqNPM5Wow6UnM= github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1/go.mod h1:sDmsWR/W2LqwU217o32RzdHMb/FywGLF72PVIhpZ3hE= github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.7 h1:X27JWuPW6Gmi2l7NMm0pvnp7z7hhtns2TeIOQU93mqI= +github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.7/go.mod h1:i7Dt9mDsVUQG/I639jtdQerliaO2SvvPnpYPhZ8CGZ4= github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.1/go.mod h1:YRtkersQ2N3iHlPDG5B3xBQtBsNZ3bjmlCwnrl26jVE= github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.8 h1:16I8OqBEuxZIowwn3jiLvhlx+z+ia4dJc9stvz0yUBU= +github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.8/go.mod h1:6QUMo5BrXAtbzSuZilqmx0A4px2u6PeFK7vfp2WIzeM= github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0/go.mod h1:17twrc0lM8IpfGqIv69WQvwgDiu3nRwWlk5YfCSQduY= github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.7 h1:KeG3QGrbxbr2qAqCJdf3NR4ijAYwdcWLTmwSbR0yusM= +github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.7/go.mod h1:rXxYzjjGw4HltEwxPp9zYSRIo6R+rBf1MSPk01bvodc= github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1/go.mod h1:JytRAxdJViV+unUUWedb7uzEy5pgu7OurbqX0eHEikE= github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.7 h1:G25tZFw/LrAzJWxvS0/BFI7V1xAP/UsAIsgBwiE0mwo= -github.com/hashicorp/go-memdb v1.3.3 h1:oGfEWrFuxtIUF3W2q/Jzt6G85TrMk9ey6XfYLvVe1Wo= +github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.7/go.mod h1:hxNA5oTfAvwPacWVg1axtF/lvTafwlAa6a6K4uzWHhw= github.com/hashicorp/go-memdb v1.3.3/go.mod h1:uBTr1oQbtuMgd1SSGoR8YV27eT3sBHbYiNm53bMpgSg= +github.com/hashicorp/go-memdb v1.3.4 h1:XSL3NR682X/cVk2IeV0d70N4DZ9ljI885xAEU8IoK3c= +github.com/hashicorp/go-memdb v1.3.4/go.mod h1:uBTr1oQbtuMgd1SSGoR8YV27eT3sBHbYiNm53bMpgSg= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-msgpack v0.5.5/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-msgpack v1.1.5 h1:9byZdVjKTe5mce63pRVNP1L7UAmdHOTEMGehn6KvJWs= @@ -1744,7 +1763,8 @@ github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9 github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY= github.com/hashicorp/go-plugin v1.4.3/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= github.com/hashicorp/go-plugin v1.4.5/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s= -github.com/hashicorp/go-plugin v1.4.8 h1:CHGwpxYDOttQOY7HOWgETU9dyVjOXzniXDqJcYJE1zM= +github.com/hashicorp/go-plugin v1.5.0 h1:g6Lj3USwF5LaB8HlvCxPjN2X4nFE08ko2BJNVpl7TIE= +github.com/hashicorp/go-plugin v1.5.0/go.mod h1:w1sAEES3g3PuV/RzUrgow20W2uErMly84hhD3um1WL4= github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a h1:FmnBDwGwlTgugDGbVxwV8UavqSMACbGrUpfc98yFLR4= github.com/hashicorp/go-raftchunking v0.6.3-0.20191002164813-7e9e8525653a/go.mod h1:xbXnmKqX9/+RhPkJ4zrEx4738HacP72aaUPlT2RZ4sU= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= @@ -1760,8 +1780,9 @@ github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= -github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 h1:W9WN8p6moV1fjKLkeqEgkAMu5rauy9QeYDAmIaPuuiA= github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6/go.mod h1:MpCPSPGLDILGb4JMm94/mMi3YysIqsXzGCzkEZjcjXg= +github.com/hashicorp/go-secure-stdlib/awsutil v0.2.3 h1:AAQ6Vmo/ncfrZYtbpjhO+g0Qt+iNpYtl3UWT1NLmbYY= +github.com/hashicorp/go-secure-stdlib/awsutil v0.2.3/go.mod h1:oKHSQs4ivIfZ3fbXGQOop1XuDfdSb8RIsWTGaAanSfg= github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng= github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= @@ -1774,10 +1795,12 @@ github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtf github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.2/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 h1:iBt4Ew4XEGLfh6/bPk4rSYmuZJGizr6/x/AEizP0CQc= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8/go.mod h1:aiJI+PIApBRQG7FZTEBx5GiiX+HbOHilUdNxUZi4eV0= github.com/hashicorp/go-secure-stdlib/password v0.1.1 h1:6JzmBqXprakgFEHwBgdchsjaA9x3GyjdI568bXKxa60= github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo= +github.com/hashicorp/go-secure-stdlib/plugincontainer v0.1.1 h1:1F0n5stk5uz4yIw2elN3k6bGbIv95OQaJVR2sVQ1kk0= +github.com/hashicorp/go-secure-stdlib/plugincontainer v0.1.1/go.mod h1:kRpzC4wHYXc2+sjXA9vuKawXYs0x0d0HuqqbaW1fj1w= github.com/hashicorp/go-secure-stdlib/reloadutil v0.1.1 h1:SMGUnbpAcat8rIKHkBPjfv81yC46a8eCNZ2hsR2l1EI= github.com/hashicorp/go-secure-stdlib/reloadutil v0.1.1/go.mod h1:Ch/bf00Qnx77MZd49JRgHYqHQjtEmTgGU2faufpVZb0= github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= @@ -1788,8 +1811,9 @@ github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2 h1:phcbL8urUzF/kxA/Oj6awENa github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs= github.com/hashicorp/go-slug v0.7.0/go.mod h1:Ib+IWBYfEfJGI1ZyXMGNbu2BU+aa3Dzu41RKLH301v4= github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= -github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= +github.com/hashicorp/go-sockaddr v1.0.5 h1:dvk7TIXCZpmfOlM+9mlcrWmWjw/wlKT+VDq2wMvfPJU= +github.com/hashicorp/go-sockaddr v1.0.5/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= github.com/hashicorp/go-tfe v0.20.0/go.mod h1:gyXLXbpBVxA2F/6opah8XBsOkZJxHYQmghl0OWi8keI= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= @@ -1809,13 +1833,14 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= -github.com/hashicorp/golang-lru v0.6.0 h1:uL2shRDx7RTrOrTCUZEGP/wJUFiUI8QT6E7z5o8jga4= -github.com/hashicorp/golang-lru v0.6.0/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= +github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= github.com/hashicorp/hcp-sdk-go v0.22.0/go.mod h1:mM3nYdVHuv2X2tv88MGVKRf/o2k3zF8jUZSMkwICQ28= github.com/hashicorp/hcp-sdk-go v0.23.0 h1:3WarkQSK0VzxJaH6psHIGQagag3ujL+NjWagZZHpiZM= +github.com/hashicorp/hcp-sdk-go v0.23.0/go.mod h1:/9UoDY2FYYA8lFaKBb2HmM/jKYZGANmf65q9QRc/cVw= github.com/hashicorp/jsonapi v0.0.0-20210826224640-ee7dae0fb22d/go.mod h1:Yog5+CPEM3c99L1CL2CFCYoSzgWm5vTU58idbRUaLik= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= @@ -1826,7 +1851,8 @@ github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2p github.com/hashicorp/memberlist v0.3.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= github.com/hashicorp/memberlist v0.3.1/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= github.com/hashicorp/nomad/api v0.0.0-20220707195938-75f4c2237b28/go.mod h1:FslB+3eLbZgkuPWffqO1GeNzBFw1SuVqN2PXsMNe0Fg= -github.com/hashicorp/nomad/api v0.0.0-20230605233119-67e39d5d248f h1:yxjcAZRuYymIDC0W4IQHgTe9EQdu2BsjPlVmKwyVZT4= +github.com/hashicorp/nomad/api v0.0.0-20230718173136-3a687930bd3e h1:sr4lujmn9heD030xx/Pd4B/JSmvRhFzuotNXaaV0WLs= +github.com/hashicorp/nomad/api v0.0.0-20230718173136-3a687930bd3e/go.mod h1:O23qLAZuCx4htdY9zBaO4cJPXgleSFEdq6D/sezGgYE= github.com/hashicorp/raft v1.0.1/go.mod h1:DVSAWItjLjTOkVbSpWQ0j0kUADIvDaCtBxIcbNAQLkI= github.com/hashicorp/raft v1.1.0/go.mod h1:4Ak7FSPnuvmb0GV6vgIAJ4vYT4bek9bb6Q+7HVbyzqM= github.com/hashicorp/raft v1.1.2-0.20191002163536-9c6bd3e3eb17/go.mod h1:vPAJM8Asw6u8LxC3eJCUZmRP/E4QmUGE1R7g7k8sG/8= @@ -1835,6 +1861,7 @@ github.com/hashicorp/raft v1.3.10 h1:LR5QZX1VQd0DFWZfeCwWawyeKfpS/Tm1yjnJIY5X4Tw github.com/hashicorp/raft v1.3.10/go.mod h1:J8naEwc6XaaCfts7+28whSeRvCqTd6e20BlCU3LtEO4= github.com/hashicorp/raft-autopilot v0.1.6/go.mod h1:Af4jZBwaNOI+tXfIqIdbcAnh/UyyqIMj/pOISIfhArw= github.com/hashicorp/raft-autopilot v0.2.0 h1:2/R2RPgamgRKgNWGQioULZvjeKXQZmDuw5Ty+6c+H7Y= +github.com/hashicorp/raft-autopilot v0.2.0/go.mod h1:q6tZ8UAZ5xio2gv2JvjgmtOlh80M6ic8xQYBe2Egkg8= github.com/hashicorp/raft-boltdb v0.0.0-20171010151810-6e5ba93211ea h1:xykPFhrBAS2J0VBzVa5e80b5ZtYuNQtgXjN40qBZlD4= github.com/hashicorp/raft-boltdb v0.0.0-20171010151810-6e5ba93211ea/go.mod h1:pNv7Wc3ycL6F5oOWn+tPGo2gWD4a5X+yp/ntwdKLjRk= github.com/hashicorp/raft-boltdb/v2 v2.0.0-20210421194847-a7e34179d62c h1:oiKun9QlrOz5yQxMZJ3tf1kWtFYuKSJzxzEDxDPevj4= @@ -1844,9 +1871,8 @@ github.com/hashicorp/raft-snapshot v1.0.4/go.mod h1:5sL9eUn72lH5DzsFIJ9jaysITbHk github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hashicorp/serf v0.9.7/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4= github.com/hashicorp/serf v0.10.1 h1:Z1H2J60yRKvfDYAOZLd2MU0ND4AH/WDz7xYHDWQsIPY= +github.com/hashicorp/serf v0.10.1/go.mod h1:yL2t6BqATOLGc5HF7qbFkTfXoPIY0WZdWHfEvMqbG+4= github.com/hashicorp/vault v1.12.2/go.mod h1:8vvin/hC1qj3wIiW2TDS5nwgmkXYMf6H1Qje69OI/mw= -github.com/hashicorp/vault v1.13.4 h1:A089hLvtwIVowWwrbGdYJqJ7/sMM4iDEuwXXnTL4ehs= -github.com/hashicorp/vault v1.13.4/go.mod h1:+tySoVOldtS+rQfvOh0nqY67YjnkkiTTSLQvwaBKR0w= github.com/hashicorp/vault v1.13.5 h1:OxJBYy/6b0vw3/A/W6k8eOMfe5bj+cMcn9G6IgvrOVA= github.com/hashicorp/vault v1.13.5/go.mod h1:pwi56hyIUi3b3fVT5G23K4Hi84nEYG1l+Kz1V6aLb7s= github.com/hashicorp/vault-plugin-auth-alicloud v0.13.0/go.mod h1:UO140aqMmOpWVfot9kpowLHhbbJ1alBJBjctIxKtpkY= @@ -1887,13 +1913,11 @@ github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFy github.com/hashicorp/vault/api v1.5.0/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM= github.com/hashicorp/vault/api v1.7.2/go.mod h1:xbfA+1AvxFseDzxxdWaL0uO99n1+tndus4GCrtouy0M= github.com/hashicorp/vault/api v1.8.0/go.mod h1:uJrw6D3y9Rv7hhmS17JQC50jbPDAZdjZoTtrCCxxs7E= -github.com/hashicorp/vault/api v1.9.2 h1:YjkZLJ7K3inKgMZ0wzCU9OHqc+UqMQyXsPXnf3Cl2as= -github.com/hashicorp/vault/api v1.9.2/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= github.com/hashicorp/vault/api v1.10.0 h1:/US7sIjWN6Imp4o/Rj1Ce2Nr5bki/AXi9vAW3p2tOJQ= github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= github.com/hashicorp/vault/api/auth/approle v0.1.0/go.mod h1:mHOLgh//xDx4dpqXoq6tS8Ob0FoCFWLU2ibJ26Lfmag= -github.com/hashicorp/vault/api/auth/approle v0.4.1 h1:NElpX7DZ2uaLGwY+leWXHUqw9tepsYkcHvIowgIZteI= -github.com/hashicorp/vault/api/auth/approle v0.4.1/go.mod h1:rlI2VbmuHkptRun7DngpxOSvRC+JuITqAs/Z09pUucU= +github.com/hashicorp/vault/api/auth/approle v0.5.0 h1:a1TK6VGwYqSAfkmX4y4dJ4WBxMU5dStIZqScW4EPXR8= +github.com/hashicorp/vault/api/auth/approle v0.5.0/go.mod h1:CHOQIA1AZACfjTzHggmyfiOZ+xCSKNRFqe48FTCzH0k= github.com/hashicorp/vault/api/auth/kubernetes v0.3.0/go.mod h1:l1B4MGtLc+P37MabBQiIhP3qd9agj0vqhETmaQjjC/Y= github.com/hashicorp/vault/api/auth/userpass v0.1.0/go.mod h1:0orUbtkEwbEPmaQ+wvfrOddGBimLJnuN8A/J0PNfBks= github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M= @@ -1909,23 +1933,22 @@ github.com/hashicorp/vault/sdk v0.5.1/go.mod h1:DoGraE9kKGNcVgPmTuX357Fm6WAx1Okv github.com/hashicorp/vault/sdk v0.5.3/go.mod h1:DoGraE9kKGNcVgPmTuX357Fm6WAx1Okvde8Vp3dPDoU= github.com/hashicorp/vault/sdk v0.6.0/go.mod h1:+DRpzoXIdMvKc88R4qxr+edwy/RvH5QK8itmxLiDHLc= github.com/hashicorp/vault/sdk v0.6.1-0.20221102145943-1e9b0a1225c3/go.mod h1:h25xhm657j/WX0QYIK43fGeEzaQ4zG/A55vRe+09Q2U= -github.com/hashicorp/vault/sdk v0.9.1 h1:fMkjCfqC5ohA2b7p1kv5poe488pFhBl9oaz2FkDkDAQ= -github.com/hashicorp/vault/sdk v0.9.1/go.mod h1:YmQ899tcCpwEgH6fOfU7AY0OURy8EqYj8sEdRac25TM= -github.com/hashicorp/vault/sdk v0.9.2 h1:H1kitfl1rG2SHbeGEyvhEqmIjVKE3E6c2q3ViKOs6HA= -github.com/hashicorp/vault/sdk v0.9.2/go.mod h1:gG0lA7P++KefplzvcD3vrfCmgxVAM7Z/SqX5NeOL/98= github.com/hashicorp/vault/sdk v0.10.0 h1:dDAe1mMG7Qqor1h3i7TU70ykwJy8ijyWeZZkN2CB0j4= github.com/hashicorp/vault/sdk v0.10.0/go.mod h1:s9F8+FF/Q9HuChoi1OWnIPoHRU6V675qHhCYkXVPPQE= github.com/hashicorp/vic v1.5.1-0.20190403131502-bbfe86ec9443 h1:O/pT5C1Q3mVXMyuqg7yuAWUg/jMZR1/0QTzTRdNR6Uw= github.com/hashicorp/vic v1.5.1-0.20190403131502-bbfe86ec9443/go.mod h1:bEpDU35nTu0ey1EXjwNwPjI9xErAsoOCmcMb9GKvyxo= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= -github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 h1:xixZ2bWeofWV68J+x6AzmKuVM/JWCQwkWm6GW/MUR6I= github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= -github.com/hetznercloud/hcloud-go v1.45.1 h1:nl0OOklFfQT5J6AaNIOhl5Ruh3fhmGmhvZEqHbibVuk= +github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE= +github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= +github.com/hetznercloud/hcloud-go/v2 v2.0.0 h1:Sg1DJ+MAKvbYAqaBaq9tPbwXBS2ckPIaMtVdUjKu+4g= +github.com/hetznercloud/hcloud-go/v2 v2.0.0/go.mod h1:4iUG2NG8b61IAwNx6UsMWQ6IfIf/i1RsG0BbsKAyR5Q= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4= -github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw= github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU= +github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/iancoleman/strcase v0.1.3/go.mod h1:SK73tn/9oHe+/Y0h39VT4UCxmurVJkR5NA7kMEAOgSE= github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -1939,12 +1962,12 @@ github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= -github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/influxdata/influxdb v1.7.6/go.mod h1:qZna6X/4elxqT3yI9iZYdZrWWdeFOOprn86kgg4+IzY= github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= -github.com/ionos-cloud/sdk-go/v6 v6.1.7 h1:uVG1Q/ZDJ7YmCI9Oevpue9xJEH5UrUMyXv8gm7NTxIw= +github.com/ionos-cloud/sdk-go/v6 v6.1.8 h1:493wE/BkZxJf7x79UCE0cYGPZoqQcPiEBALvt7uVGY0= +github.com/ionos-cloud/sdk-go/v6 v6.1.8/go.mod h1:EzEgRIDxBELvfoa/uBN0kOQaqovLjUWEB7iW4/Q+t4k= github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA= github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo= github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk= @@ -2005,8 +2028,9 @@ github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik= -github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY= +github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= @@ -2055,15 +2079,16 @@ github.com/klauspost/compress v1.11.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYs github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.13.1/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/klauspost/compress v1.13.4/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= +github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= -github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI= github.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I= github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b h1:udzkj9S/zlT5X367kqJis0QP7YMxobob6zhzq6Yre00= +github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b/go.mod h1:pcaDhQK0/NJZEvtCO0qQPPropqV0sJOJ6YW7X+9kRwM= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -2093,8 +2118,9 @@ github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lib/pq v1.10.6 h1:jbk+ZieJ0D7EVGJYpL9QTz7/YW6UHbmdnZWYyK5cdBs= github.com/lib/pq v1.10.6/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= +github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/libopenstorage/autopilot-api v0.6.1-0.20210128210103-5fbb67948648/go.mod h1:6JLrPbR3ZJQFbUY/+QJMl/aF00YdIrLf8/GWAplgvJs= github.com/libopenstorage/openstorage v8.0.0+incompatible/go.mod h1:Sp1sIObHjat1BeXhfMqLZ14wnOzEhNx2YQedreMcUyc= github.com/libopenstorage/operator v0.0.0-20200725001727-48d03e197117/go.mod h1:Qh+VXOB6hj60VmlgsmY+R1w+dFuHK246UueM4SAqZG0= @@ -2104,7 +2130,8 @@ github.com/libopenstorage/stork v1.3.0-beta1.0.20200630005842-9255e7a98775/go.mo github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= github.com/linode/linodego v0.7.1/go.mod h1:ga11n3ivecUrPCHN0rANxKmfWBJVkOXfLMZinAbj2sY= -github.com/linode/linodego v1.17.0 h1:aWS98f0jUoY2lhsEuBxRdVkqyGM0nazPd68AEDF0EvU= +github.com/linode/linodego v1.19.0 h1:n4WJrcr9+30e9JGZ6DI0nZbm5SdAj1kSwvvt/998YUw= +github.com/linode/linodego v1.19.0/go.mod h1:XZFR+yJ9mm2kwf6itZ6SCpu+6w3KnIevV0Uu5HNWJgQ= github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo= github.com/lithammer/dedent v1.1.0 h1:VNzHMVCBNG1j0fh3OrsFRkVUwStdDArbgBWoPAffktY= github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc= @@ -2114,6 +2141,8 @@ github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuz github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= +github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= @@ -2144,8 +2173,8 @@ github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOA github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA= -github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.3/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= @@ -2153,8 +2182,9 @@ github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= +github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= github.com/mediocregopher/radix/v4 v4.1.1/go.mod h1:ajchozX/6ELmydxWeWM6xCFHVpZ4+67LXHOTOVR0nCE= github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4= @@ -2162,7 +2192,8 @@ github.com/michaelklishin/rabbit-hole/v2 v2.12.0/go.mod h1:AN/3zyz7d++OHf+4WUo/L github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI= -github.com/miekg/dns v1.1.54 h1:5jon9mWcb0sFJGpnI99tOMhCPyJ+RPVz5b63MQG0VWI= +github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo= +github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY= github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/mikesmitty/edkey v0.0.0-20170222072505-3356ea4e686a/go.mod h1:v8eSC2SMp9/7FTKUncp7fH9IwPfw+ysMObcEz5FWheQ= github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY= @@ -2170,8 +2201,9 @@ github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8Ie github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI= -github.com/mitchellh/cli v1.1.2 h1:PvH+lL2B7IQ101xQL63Of8yFS2y+aDlsFcsqNc+u/Kw= github.com/mitchellh/cli v1.1.2/go.mod h1:6iaV0fGdElS6dPBx0EApTxHrcWvmJphyh2n8YBLPPZ4= +github.com/mitchellh/cli v1.1.5 h1:OxRIeJXpAMztws/XHlN2vu6imG5Dpq+j61AzAX5fLng= +github.com/mitchellh/cli v1.1.5/go.mod h1:v8+iFts2sPIKUV1ltktPXMCC8fumSKFItNcD2cLtRR4= github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db/go.mod h1:l0dey0ia/Uv7NcFFVbCLtqEBQbrT4OCwCSKTEv6enCw= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= @@ -2286,7 +2318,8 @@ github.com/onsi/ginkgo/v2 v2.9.0/go.mod h1:4xkjoL/tZv4SMWeww56BU5kAt19mVB47gTWxm github.com/onsi/ginkgo/v2 v2.9.1/go.mod h1:FEcmzVcCHl+4o9bQZVab+4dC9+j+91t2FHSzmGAPfuo= github.com/onsi/ginkgo/v2 v2.9.2/go.mod h1:WHcJJG2dIlcCqVfBAwUCrJxSPFb6v4azBwgxeMeDuts= github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM= -github.com/onsi/ginkgo/v2 v2.9.7 h1:06xGQy5www2oN160RtEZoTvnP2sPhEfePYmCDc2szss= +github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -2310,7 +2343,8 @@ github.com/onsi/gomega v1.27.1/go.mod h1:aHX5xOykVYzWOV4WqQy0sy8BQptgukenXpCXfad github.com/onsi/gomega v1.27.3/go.mod h1:5vG284IBtfDAmDyrK+eGyZmUgUlmi+Wngqo557cZ6Gw= github.com/onsi/gomega v1.27.4/go.mod h1:riYq/GJKh8hhoM01HN6Vmuy93AarCXCBGpvFDK3q3fQ= github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg= -github.com/onsi/gomega v1.27.8 h1:gegWiwZjBsf2DgiSbf5hpokZ98JVDMcWkUiigk6/KXc= +github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= +github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= @@ -2320,7 +2354,8 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3I github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8= +github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0= +github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= @@ -2342,15 +2377,13 @@ github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xA github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/openlyinc/pointy v1.1.2/go.mod h1:w2Sytx+0FVuMKn37xpXIAyBNhFNBIJGR/v2m7ik1WtM= github.com/openshift/api v0.0.0-20210105115604-44119421ec6b/go.mod h1:aqU5Cq+kqKKPbDMqxo9FojgDeSpNJI7iuskjXjtojDg= -github.com/openshift/api v0.0.0-20211217221424-8779abfbd571 h1:+ShYlGoPriGahTTFTjQ0RtNXW0srxDodk2STdc238Rk= -github.com/openshift/api v0.0.0-20211217221424-8779abfbd571/go.mod h1:F/eU6jgr6Q2VhMu1mSpMmygxAELd7+BUxs3NHZ25jV4= github.com/openshift/api v0.0.0-20230804173756-26b8597c4de2 h1:K7rBUJvIEa9Ei7tyAv4wDwDLpOFKa6nP84JnqxrY73o= github.com/openshift/api v0.0.0-20230804173756-26b8597c4de2/go.mod h1:yimSGmjsI+XF1mr+AKBs2//fSXIOhhetHGbMlBEfXbs= github.com/openshift/build-machinery-go v0.0.0-20200917070002-f171684f77ab/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= -github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20210112165513-ebc401615f47/go.mod h1:u7NRAjtYVAKokiI9LouzTv4mhds8P4S1TwdVAfbjKSk= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A= +github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mod h1:AC62GU6hc0BrNm+9RK9VSiwa/EUe1bkIeFORAMcHvJU= github.com/oracle/oci-go-sdk v7.0.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= github.com/oracle/oci-go-sdk v13.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= github.com/oracle/oci-go-sdk v24.3.0+incompatible h1:x4mcfb4agelf1O4/1/auGlZ1lr97jXRSSN5MxTgG/zU= @@ -2360,6 +2393,7 @@ github.com/ory/dockertest v3.3.5+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnh github.com/ory/dockertest/v3 v3.8.0/go.mod h1:9zPATATlWQru+ynXP+DytBQrsXV7Tmlx7K86H6fQaDo= github.com/ory/dockertest/v3 v3.9.1/go.mod h1:42Ir9hmvaAPm0Mgibk6mBPi7SFvTXxEcnztDYOJ//uM= github.com/ovh/go-ovh v1.4.1 h1:VBGa5wMyQtTP7Zb+w97zRCh9sLtM/2YKRyy+MEJmWaM= +github.com/ovh/go-ovh v1.4.1/go.mod h1:6bL6pPyUT7tBfI0pqOegJgRjgjuO+mOo+MyXd1EEC0M= github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOThbttwfYRNFOWLLVXMhk5Lkio4GGOtw5UrxS0= github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c h1:vwpFWvAO8DeIZfFeqASzZfsxuWPno9ncAebBEP0N3uE= github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c/go.mod h1:otzZQXgoO96RTzDB/Hycg0qZcXZsWJGJRSXbmEIJ+4M= @@ -2376,6 +2410,8 @@ github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/9 github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo= github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc= +github.com/pelletier/go-toml/v2 v2.0.8 h1:0ctb6s9mE31h0/lhu+J6OPmVeDxJn+kYnJc2jZR9tGQ= +github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 h1:q2e307iGHPdTGp0hoxKjt1H5pDo6utceo3dQVK3I5XQ= @@ -2437,16 +2473,18 @@ github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqr github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= -github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= +github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q= +github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY= github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= -github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= +github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= +github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= @@ -2461,8 +2499,9 @@ github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+ github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= -github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= +github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= +github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= github.com/prometheus/common/sigv4 v0.1.0 h1:qoVebwtwwEhS85Czm2dSROY5fTo2PAPEVdDeppTwGX4= github.com/prometheus/common/sigv4 v0.1.0/go.mod h1:2Jkxxk9yYvCkE5G1sQT7GuEXm57JrvHu9k5YwTjsNtI= github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= @@ -2481,18 +2520,10 @@ github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1 github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= -github.com/prometheus/procfs v0.11.0 h1:5EAgkfkMl659uZPbe9AS2N68a7Cc1TJbPEuGzFuRbyk= -github.com/prometheus/procfs v0.11.0/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= -github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI= -github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY= -github.com/prometheus/prometheus v0.45.0 h1:O/uG+Nw4kNxx/jDPxmjsSDd+9Ohql6E7ZSY1x5x/0KI= -github.com/prometheus/prometheus v0.45.0/go.mod h1:jC5hyO8ItJBnDWGecbEucMyXjzxGv9cxsxsjS9u5s1w= -github.com/prometheus/prometheus v0.46.0 h1:9JSdXnsuT6YsbODEhSQMwxNkGwPExfmzqG73vCMk/Kw= -github.com/prometheus/prometheus v0.46.0/go.mod h1:10L5IJE5CEsjee1FnOcVswYXlPIscDWWt3IJ2UDYrz4= -github.com/prometheus/prometheus v0.47.0 h1:tIJJKZGlmrMVsvIt6rMfB8he7CRHEc8ZxS5ubcZtbkM= -github.com/prometheus/prometheus v0.47.0/go.mod h1:J/bmOSjgH7lFxz2gZhrWEZs2i64vMS+HIuZfmYNhJ/M= -github.com/prometheus/prometheus v0.47.1 h1:bd2LiZyxzHn9Oo2Ei4eK2D86vz/L/OiqR1qYo0XmMBo= -github.com/prometheus/prometheus v0.47.1/go.mod h1:J/bmOSjgH7lFxz2gZhrWEZs2i64vMS+HIuZfmYNhJ/M= +github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= +github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/prometheus v0.47.2 h1:jWcnuQHz1o1Wu3MZ6nMJDuTI0kU5yJp9pkxh8XEkNvI= +github.com/prometheus/prometheus v0.47.2/go.mod h1:J/bmOSjgH7lFxz2gZhrWEZs2i64vMS+HIuZfmYNhJ/M= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/protocolbuffers/txtpbfmt v0.0.0-20230412060525-fa9f017c0ded h1:XHLAvwaTYM0PxS/HO7E0PfBaY/y0jGM5NM7g05lCb0k= github.com/protocolbuffers/txtpbfmt v0.0.0-20230412060525-fa9f017c0ded/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c= @@ -2512,42 +2543,8 @@ github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTE github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o= github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= -github.com/rook/rook/pkg/apis v0.0.0-20230725213142-5979b3816292 h1:IhwpZi0CqkPc2XJ0/HF9onlMnJVI4S9zeXPP3Njp1xQ= -github.com/rook/rook/pkg/apis v0.0.0-20230725213142-5979b3816292/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230726164420-45a1a6ca45d2 h1:5Bb4AZe5P87cLfRlcbZHeEL0Zo/6yikNZNMeVJGhEfg= -github.com/rook/rook/pkg/apis v0.0.0-20230726164420-45a1a6ca45d2/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230726225230-a2658b13fd55 h1:2cAAtQun0iFrlkrJpA2cH4oPLDM84fA1+Up2ebC9CgE= -github.com/rook/rook/pkg/apis v0.0.0-20230726225230-a2658b13fd55/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230728172519-1cf207947c3a h1:Ev32HkbOmTynEBFiKsgu1TPNYJ8NWdKQocq9g1BtS8U= -github.com/rook/rook/pkg/apis v0.0.0-20230728172519-1cf207947c3a/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230731210627-9d789e389801 h1:f8p8x3VobFmTUEaiOcIh4oEFfHZBlwFMgcyqP9E8qQ4= -github.com/rook/rook/pkg/apis v0.0.0-20230731210627-9d789e389801/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230801141604-c86fce80eac4 h1:hOf3+2YJ8rYCkvKygOrBmfz0UW/47XrDpQZOqzOmjwg= -github.com/rook/rook/pkg/apis v0.0.0-20230801141604-c86fce80eac4/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230801182020-10a4aa716456 h1:iyECAd/TwmJy4bzXR2+/ZkWKJiNB8LIjvpcg2wTKke8= -github.com/rook/rook/pkg/apis v0.0.0-20230801182020-10a4aa716456/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230802161538-d89758da38ae h1:YbL4VjCFYTNFgs5ogutfHCZwl+va37zm8DsDnKuemCY= -github.com/rook/rook/pkg/apis v0.0.0-20230802161538-d89758da38ae/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230803175829-7269b14c1ad9 h1:Rlyn6RZK6LDvHaCtONwVwjdw74x9vgwcOiARypktT3c= -github.com/rook/rook/pkg/apis v0.0.0-20230803175829-7269b14c1ad9/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230804145609-7aaf46e11243 h1:lMDyz6mV1dVje7bll3fU2EDYCAu0zrN6c/1yqaNKpkE= -github.com/rook/rook/pkg/apis v0.0.0-20230804145609-7aaf46e11243/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230809174505-71f078c0fcfe h1:c6rphhJ+Q5f9ZXi3Pja6aQzN3s0qFr/BFEBrdb8x4Lo= -github.com/rook/rook/pkg/apis v0.0.0-20230809174505-71f078c0fcfe/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230811194221-d4b806d20c06 h1:LODl1Jd82ujWHgRK9TFYf5eo91M6iJEdFMLBXGOALrI= -github.com/rook/rook/pkg/apis v0.0.0-20230811194221-d4b806d20c06/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230815172026-561511e8d43c h1:XfSnyOWgjfTbgu/IhRzraUSKwTBD0aD7KPr72omDYfA= -github.com/rook/rook/pkg/apis v0.0.0-20230815172026-561511e8d43c/go.mod h1:x3pir+Hs19XgJOlBmYdTxk5QR27ImpKhy68I5WS7Q/M= -github.com/rook/rook/pkg/apis v0.0.0-20230816201154-f3764cc7ad97 h1:oFNeHEF8fbfVOn7y5zpgsxjT/bgAgrw81Vw9PkK5IB0= -github.com/rook/rook/pkg/apis v0.0.0-20230816201154-f3764cc7ad97/go.mod h1:OnII9BWrgKO/8bZn41hIFcIsVUwh2Dow4ZrmTscN2vc= -github.com/rook/rook/pkg/apis v0.0.0-20230817185149-430e8552a42c h1:nIflNersU4F2aremu6IpBIDUIbdLFyVS6YIyfcnvr3k= -github.com/rook/rook/pkg/apis v0.0.0-20230817185149-430e8552a42c/go.mod h1:OnII9BWrgKO/8bZn41hIFcIsVUwh2Dow4ZrmTscN2vc= -github.com/rook/rook/pkg/apis v0.0.0-20230818141252-e2debde4458d h1:EPJlfCNqSSt6zQy2UgT2tMBDF05aWeJnVEtcPCWugPM= -github.com/rook/rook/pkg/apis v0.0.0-20230818141252-e2debde4458d/go.mod h1:OnII9BWrgKO/8bZn41hIFcIsVUwh2Dow4ZrmTscN2vc= -github.com/rook/rook/pkg/apis v0.0.0-20230821161714-9a5ea4c92b9f h1:iirskjTrtECJu0pyRqCl5IQeia3/JCIyx08UbAL4L+4= -github.com/rook/rook/pkg/apis v0.0.0-20230821161714-9a5ea4c92b9f/go.mod h1:OnII9BWrgKO/8bZn41hIFcIsVUwh2Dow4ZrmTscN2vc= +github.com/rogpeppe/go-internal v1.11.1-0.20230926105539-32ae33786ecc h1:mutztH6OmvFf2MGH0cqacv/FCFLkJn/rz3i7E/VWfm0= +github.com/rogpeppe/go-internal v1.11.1-0.20230926105539-32ae33786ecc/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/rook/rook/pkg/apis v0.0.0-20230822134130-9803bd5aa7b5 h1:J445Mlv45TGR5ebmKV1JKDeYXsGKb6qGCahmOEz5fG8= github.com/rook/rook/pkg/apis v0.0.0-20230822134130-9803bd5aa7b5/go.mod h1:OnII9BWrgKO/8bZn41hIFcIsVUwh2Dow4ZrmTscN2vc= github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= @@ -2566,10 +2563,12 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= -github.com/sasha-s/go-deadlock v0.2.0 h1:lMqc+fUb7RrFS3gQLtoQsJ7/6TV/pAIFvBsqX73DK8Y= github.com/sasha-s/go-deadlock v0.2.0/go.mod h1:StQn567HiB1fF2yJ44N9au7wOhrPS3iZqiDbRupzT10= +github.com/sasha-s/go-deadlock v0.3.1 h1:sqv7fDNShgjcaxkO0JNcOAlr8B9+cV5Ey/OB71efZx0= +github.com/sasha-s/go-deadlock v0.3.1/go.mod h1:F73l+cr82YSh10GxyRI6qZiCgK64VaZjwesgfQ1/iLM= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= -github.com/scaleway/scaleway-sdk-go v1.0.0-beta.17 h1:1WuWJu7/e8SqK+uQl7lfk/N/oMZTL2NE/TJsNKRNMc4= +github.com/scaleway/scaleway-sdk-go v1.0.0-beta.21 h1:yWfiTPwYxB0l5fGMhl/G+liULugVIHD9AU77iNLrURQ= +github.com/scaleway/scaleway-sdk-go v1.0.0-beta.21/go.mod h1:fCa7OJZ/9DRTnOKmxvT6pn+LPWUptQAmHF/SBJUGEcg= github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= github.com/sean-/conswriter v0.0.0-20180208195008-f5ae3917a627/go.mod h1:7zjs06qF79/FKAJpBvFx3P8Ww4UTIMAe+lpNXDHziac= github.com/sean-/pager v0.0.0-20180208200047-666be9bf53b5/go.mod h1:BeybITEsBEg6qbIiqJ6/Bqeq25bCLbL7YFmpaFfJDuM= @@ -2579,12 +2578,19 @@ github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sethvargo/go-limiter v0.7.1 h1:wWNhTj0pxjyJ7wuJHpRJpYwJn+bUnjYfw2a85eu5w9U= github.com/sethvargo/go-limiter v0.7.1/go.mod h1:C0kbSFbiriE5k2FFOe18M1YZbAR2Fiwf72uGu0CXCcU= -github.com/shirou/gopsutil/v3 v3.22.6 h1:FnHOFOh+cYAM0C30P+zysPISzlknLC5Z1G4EAElznfQ= github.com/shirou/gopsutil/v3 v3.22.6/go.mod h1:EdIubSnZhbAvBS1yJ7Xi+AShB/hxwLHOMz4MCYz7yMs= +github.com/shirou/gopsutil/v3 v3.23.5 h1:5SgDCeQ0KW0S4N0znjeM/eFHXXOKyv2dVNgRq/c9P6Y= +github.com/shirou/gopsutil/v3 v3.23.5/go.mod h1:Ng3Maa27Q2KARVJ0SPZF5NdrQSC3XHKP8IIWrHgMeLY= +github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM= +github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ= +github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= +github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= +github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= @@ -2608,8 +2614,9 @@ github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d/go.mod h1:C github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js= github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= -github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b h1:br+bPNZsJWKicw/5rALEo67QHs5weyD5tf8WST+4sJ0= github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= +github.com/sony/gobreaker v0.5.0 h1:dRCvqm0P490vZPmy7ppEk2qCnCieBooFJ+YoXGYB+yg= +github.com/sony/gobreaker v0.5.0/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.1/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= @@ -2617,16 +2624,21 @@ github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTd github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y= +github.com/spf13/afero v1.9.5 h1:stMpOSZFs//0Lv29HduCmli3GUfpFoF3Y1Q/aXj/wVM= +github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA= +github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48= github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= -github.com/spf13/cobra v1.6.0/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= +github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= @@ -2635,6 +2647,8 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= +github.com/spf13/viper v1.16.0 h1:rGGH0XDZhdUOryiDWjmIvUSWpbNqisK8Wk0Vyefw8hc= +github.com/spf13/viper v1.16.0/go.mod h1:yg78JgCJcbrQOvV9YLXgkLaZqUidkY9K+Dd1FofRzQg= github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= @@ -2660,9 +2674,12 @@ github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8= +github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= @@ -2673,10 +2690,12 @@ github.com/tetratelabs/wazero v1.0.2 h1:lpwL5zczFHk2mxKur98035Gig+Z3vd9JURk6lUdZ github.com/tetratelabs/wazero v1.0.2/go.mod h1:wYx2gNRg8/WihJfSDxA1TIL8H+GkfLYm+bIfbblu9VQ= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tilinna/clock v1.0.2/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao= -github.com/tklauser/go-sysconf v0.3.10 h1:IJ1AZGZRWbY8T5Vfk04D9WOA5WSejdflXxP03OUqALw= github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk= -github.com/tklauser/numcpus v0.4.0 h1:E53Dm1HjH1/R2/aoCtXtPgzmElmn51aOkhCFSuZq//o= +github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM= +github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7AmcWpGR8lSZfqI= github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hMwiKKqXCQ= +github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms= +github.com/tklauser/numcpus v0.6.0/go.mod h1:FEZLMke0lhOUG6w2JadTzp0a+Nl8PF/GFkQ5UVIcaL4= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= @@ -2692,21 +2711,45 @@ github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0o github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= +github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= +github.com/valyala/fasthttp v1.30.0/go.mod h1:2rsYD01CKFrjjsvFxx75KlEUNpWNBY9JWD3K/7o2Cus= +github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ= +github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY= +github.com/valyala/fastrand v1.1.0 h1:f+5HkLW4rsgzdNoleUOB69hyT9IlD2ZQh9GyDMfb5G8= +github.com/valyala/fastrand v1.1.0/go.mod h1:HWqCzkrkg6QXT8V2EXWvXCoow7vLwOFN002oeRzjapQ= +github.com/valyala/fasttemplate v1.2.2 h1:lxLXG0uE3Qnshl9QyaK6XJxMXlQZELvChBOCmQD0Loo= +github.com/valyala/fasttemplate v1.2.2/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ= +github.com/valyala/histogram v1.2.0 h1:wyYGAZZt3CpwUiIb9AU/Zbllg1llXyrtApRS815OLoQ= +github.com/valyala/histogram v1.2.0/go.mod h1:Hb4kBwb4UxsaNbbbh+RRz8ZR6pdodR57tzWUS3BUzXY= +github.com/valyala/quicktemplate v1.7.0 h1:LUPTJmlVcb46OOUY3IeD9DojFpAVbsG+5WFTcjMJzCM= +github.com/valyala/quicktemplate v1.7.0/go.mod h1:sqKJnoaOF88V07vkO+9FL8fb9uZg/VPSJnLYn+LmLk8= +github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc= github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= +github.com/vishvananda/netlink v1.2.1-beta.2.0.20230621221334-77712cff8739 h1:mi+RH1U/MmAQvz2Ys7r1/8OWlGJoBvF8iCXRKk2uym4= +github.com/vishvananda/netlink v1.2.1-beta.2.0.20230621221334-77712cff8739/go.mod h1:0BeLktV/jHb2/Hmw1yLD7+yaIB8PDy11RCty0tCPWZg= github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= +github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8= +github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/vmware/govmomi v0.18.0/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= -github.com/vmware/govmomi v0.30.0 h1:Fm8ugPnnlMSTSceDKY9goGvjmqc6eQLPUSUeNXdpeXA= +github.com/vmware/govmomi v0.30.6 h1:O3tjSwQBy0XwI5uK1/yVIfQ1LP9bAECEDUfifnyGs9U= +github.com/vmware/govmomi v0.30.6/go.mod h1:epgoslm97rLECMV4D+08ORzUBEU7boFSepKjt7AYVGg= github.com/vultr/govultr/v2 v2.17.2 h1:gej/rwr91Puc/tgh+j33p/BLR16UrIPnSr+AIwYWZQs= +github.com/vultr/govultr/v2 v2.17.2/go.mod h1:ZFOKGWmgjytfyjeyAdhQlSWwTjh2ig+X49cAp50dzXI= github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= +github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g= +github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4= github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM= +github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8= +github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM= github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -2729,13 +2772,13 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yuin/gopher-lua v0.0.0-20200816102855-ee81675732da/go.mod h1:E1AXubJBdNmFERAOucpDIxNzeGfLzg0mYh+UfMWdChA= github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9/go.mod h1:E1AXubJBdNmFERAOucpDIxNzeGfLzg0mYh+UfMWdChA= -github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg= github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= +github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw= +github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= @@ -2745,33 +2788,26 @@ github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxt go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= -go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU= go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= +go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ= go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= -go.etcd.io/etcd/api/v3 v3.5.7/go.mod h1:9qew1gCdDDLu+VwmeG+iFpL+QlpHTo7iubavdVDgCAA= go.etcd.io/etcd/api/v3 v3.5.9 h1:4wSsluwyTbGGmyjJktOf3wFQoTBIURXHnq9n/G/JQHs= go.etcd.io/etcd/api/v3 v3.5.9/go.mod h1:uyAal843mC8uUVSLWz6eHa/d971iDGnCRpmKd2Z+X8k= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= -go.etcd.io/etcd/client/pkg/v3 v3.5.7/go.mod h1:o0Abi1MK86iad3YrWhgUsbGx1pmTS+hrORWc2CamuhY= go.etcd.io/etcd/client/pkg/v3 v3.5.9 h1:oidDC4+YEuSIQbsR94rY9gur91UPL6DnxDCIYd2IGsE= go.etcd.io/etcd/client/pkg/v3 v3.5.9/go.mod h1:y+CzeSmkMpWN2Jyu1npecjB9BBnABxGM4pN8cGuJeL4= go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= -go.etcd.io/etcd/client/v2 v2.305.7 h1:AELPkjNR3/igjbO7CjyF1fPuVPjrblliiKj+Y6xSGOU= -go.etcd.io/etcd/client/v2 v2.305.7/go.mod h1:GQGT5Z3TBuAQGvgPfhR7VPySu/SudxmEkRq9BgzFU6s= +go.etcd.io/etcd/client/v2 v2.305.9 h1:YZ2OLi0OvR0H75AcgSUajjd5uqKDKocQUqROTG11jIo= go.etcd.io/etcd/client/v2 v2.305.9/go.mod h1:0NBdNx9wbxtEQLwAQtrDHwx58m02vXpDcgSYI2seohQ= go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0= -go.etcd.io/etcd/client/v3 v3.5.7/go.mod h1:sOWmj9DZUMyAngS7QQwCyAXXAL6WhgTOPLNS/NabQgw= go.etcd.io/etcd/client/v3 v3.5.9 h1:r5xghnU7CwbUxD/fbUtRyJGaYNfDun8sp/gTr1hew6E= go.etcd.io/etcd/client/v3 v3.5.9/go.mod h1:i/Eo5LrZ5IKqpbtpPDuaUnDOUv471oDg8cjQaUr2MbA= -go.etcd.io/etcd/pkg/v3 v3.5.7 h1:obOzeVwerFwZ9trMWapU/VjDcYUJb5OfgC1zqEGWO/0= -go.etcd.io/etcd/pkg/v3 v3.5.7/go.mod h1:kcOfWt3Ov9zgYdOiJ/o1Y9zFfLhQjylTgL4Lru8opRo= +go.etcd.io/etcd/pkg/v3 v3.5.9 h1:6R2jg/aWd/zB9+9JxmijDKStGJAPFsX3e6BeJkMi6eQ= go.etcd.io/etcd/pkg/v3 v3.5.9/go.mod h1:BZl0SAShQFk0IpLWR78T/+pyt8AruMHhTNNX73hkNVY= -go.etcd.io/etcd/raft/v3 v3.5.7 h1:aN79qxLmV3SvIq84aNTliYGmjwsW6NqJSnqmI1HLJKc= -go.etcd.io/etcd/raft/v3 v3.5.7/go.mod h1:TflkAb/8Uy6JFBxcRaH2Fr6Slm9mCPVdI2efzxY96yU= +go.etcd.io/etcd/raft/v3 v3.5.9 h1:ZZ1GIHoUlHsn0QVqiRysAm3/81Xx7+i2d7nSdWxlOiI= go.etcd.io/etcd/raft/v3 v3.5.9/go.mod h1:WnFkqzFdZua4LVlVXQEGhmooLeyS7mqzS4Pf4BCVqXg= -go.etcd.io/etcd/server/v3 v3.5.7 h1:BTBD8IJUV7YFgsczZMHhMTS67XuA4KpRquL0MFOJGRk= -go.etcd.io/etcd/server/v3 v3.5.7/go.mod h1:gxBgT84issUVBRpZ3XkW1T55NjOb4vZZRI4wVvNhf4A= +go.etcd.io/etcd/server/v3 v3.5.9 h1:vomEmmxeztLtS5OEH7d0hBAg4cjVIu9wXuNzUZx2ZA0= go.etcd.io/etcd/server/v3 v3.5.9/go.mod h1:GgI1fQClQCFIzuVjlvdbMxNbnISt90gdfYyqiAIt65g= go.etcd.io/gofail v0.1.0/go.mod h1:VZBCXYGZhHAinaBiiqYvuDynvahNsAyLFwB3kEHKz1M= go.mongodb.org/atlas v0.13.0/go.mod h1:wVCnHcm/7/IfTjEB6K8K35PLG70yGz8BdkRwX0oK9/M= @@ -2784,7 +2820,10 @@ go.mongodb.org/mongo-driver v1.4.3/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4S go.mongodb.org/mongo-driver v1.4.4/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= go.mongodb.org/mongo-driver v1.4.6/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg= -go.mongodb.org/mongo-driver v1.11.3 h1:Ql6K6qYHEzB6xvu4+AU0BoRoqf9vFPcc4o7MUIdPW8Y= +go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng= +go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8= +go.mongodb.org/mongo-driver v1.12.1 h1:nLkghSU8fQNaK7oUmDhQFsnrtcoNy7Z6LVFKsEecqgE= +go.mongodb.org/mongo-driver v1.12.1/go.mod h1:/rGBTebI3XYboVmgz+Wv3Bcbl3aD0QF9zl6kDDw18rQ= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= @@ -2797,54 +2836,48 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.25.0/go.mod h1:E5NNboN0UqSAki0Atn9kVwaN7I+l25gGxDqBueo/74E= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0/go.mod h1:h8TWwRAhQpOd0aM5nYsRD8+flnkj+526GEIVlarH7eY= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0 h1:ZOLJc06r4CB42laIXg/7udr0pbZyuAihN10A/XuiQRY= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0/go.mod h1:5z+/ZWJQKXa9YT34fQNx5K8Hd1EoIhvtUygUQPqEOgQ= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 h1:RsQi0qJ2imFfCvZabqzM9cNXBG8k6gXMv1A0cXRmH6A= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0/go.mod h1:vsh3ySueQCiKPxFLvjWC4Z135gIa34TQ/NSqkDTZYUM= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1/go.mod h1:9NiG9I2aHTKkcxqCILhjtyNA1QEiCjdBACv4IvrFQ+c= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0 h1:pginetY7+onl4qN1vl0xW/V/v6OBZ0vVdH+esuJgvmM= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0/go.mod h1:XiYsayHc36K3EByOO6nbAXnAWbrUxdjUROCEeeROOH8= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0 h1:KfYpVmrjI7JuToy5k8XV3nkapjWx48k4E4JOtVstzQI= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0/go.mod h1:SeQhzAEccGVZVEy7aH87Nh0km+utSpo1pTv6eMMop48= go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= go.opentelemetry.io/otel v1.0.1/go.mod h1:OPEOD4jIT2SlZPMmwT6FqZz2C0ZNdQqiWcoK6M0SNFU= go.opentelemetry.io/otel v1.8.0/go.mod h1:2pkj+iMj0o03Y+cW6/m8Y4WkRdYN3AvCXCnzRMp9yvM= go.opentelemetry.io/otel v1.10.0/go.mod h1:NbvWjCthWHKBEUMpf0/v8ZRZlni86PpGFEMA9pnQSnQ= -go.opentelemetry.io/otel v1.16.0 h1:Z7GVAX/UkAXPKsy94IU+i6thsQS4nb7LviLpnaNeW8s= -go.opentelemetry.io/otel v1.16.0/go.mod h1:vl0h9NUa1D5s1nv3A5vZOYWn8av4K8Ml6JDeHrT/bx4= +go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs= +go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY= go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0/go.mod h1:78XhIg8Ht9vR4tbLNUhXsiOnE2HOuSeKAiAcoVQEpOY= -go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 h1:t4ZwRPU+emrcvM2e9DHd0Fsf0JTPVcbfa/BhTDF03d0= -go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0/go.mod h1:vLarbg68dH2Wa77g71zmKQqlQ8+8Rq3GRG31uc0WcWI= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.0.1/go.mod h1:Kv8liBeVNFkkkbilbgWRpV+wWuu+H5xdOT6HAgd30iw= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0/go.mod h1:Krqnjl22jUJ0HgMzw5eveuCvFDXY4nSYb4F8t5gdrag= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0 h1:cbsD4cUcviQGXdw8+bo5x2wazq10SKz8hEbtCRPcU78= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0/go.mod h1:JgXSGah17croqhJfhByOLVY719k1emAXC8MVhCIJlRs= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.0.1/go.mod h1:xOvWoTOrQjxjW61xtOmD/WKGRYb/P4NzRo3bs65U6Rk= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0/go.mod h1:OfUCyyIiDvNXHWpcWgbF+MWvqPZiNa3YDEnivcnYsV0= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.16.0 h1:TVQp/bboR4mhZSav+MdgXB8FaRho1RC8UwVn3T0vjVc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.16.0/go.mod h1:I33vtIe0sR96wfrUcilIzLoA3mLHhRmz9S9Te0S3gDo= -go.opentelemetry.io/otel/internal/metric v0.25.0/go.mod h1:Nhuw26QSX7d6n4duoqAFi5KOQR4AuzyMcl5eXOgwxtc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0 h1:3d+S281UTjM+AbF31XSOYn1qXn3BgIdWl8HNEpx08Jk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0/go.mod h1:0+KuTDyKL4gjKCF75pHOX4wuzYDUZYfAQdSu43o+Z2I= go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= go.opentelemetry.io/otel/metric v0.31.0/go.mod h1:ohmwj9KTSIeBnDBm/ZwH2PSZxZzoOaG2xZeekTRzL5A= -go.opentelemetry.io/otel/metric v1.16.0 h1:RbrpwVG1Hfv85LgnZ7+txXioPDoh6EdbZHo26Q3hqOo= -go.opentelemetry.io/otel/metric v1.16.0/go.mod h1:QE47cpOmkwipPiefDwo2wDzwJrlfxxNYodqc4xnGCo4= +go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE= +go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8= go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw= go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc= go.opentelemetry.io/otel/sdk v1.0.1/go.mod h1:HrdXne+BiwsOHYYkBE5ysIcv2bvdZstxzmCQhxTcZkI= go.opentelemetry.io/otel/sdk v1.10.0/go.mod h1:vO06iKzD5baltJz1zarxMCNHFpUlUiOy4s65ECtn6kE= -go.opentelemetry.io/otel/sdk v1.16.0 h1:Z1Ok1YsijYL0CSJpHt4cS3wDDh7p572grzNrBMiMWgE= -go.opentelemetry.io/otel/sdk v1.16.0/go.mod h1:tMsIuKXuuIWPBAOrH+eHtvhTL+SntFtXF9QD68aP6p4= +go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o= +go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A= go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= go.opentelemetry.io/otel/trace v1.0.1/go.mod h1:5g4i4fKLaX2BQpSBsxw8YYcgKpMMSW3x7ZTuYBr3sUk= go.opentelemetry.io/otel/trace v1.8.0/go.mod h1:0Bt3PXY8w+3pheS3hQUt+wow8b1ojPaTBoTCh2zIFI4= go.opentelemetry.io/otel/trace v1.10.0/go.mod h1:Sij3YYczqAdz+EhmGhE6TpTxUO5/F/AzrK+kxfGqySM= -go.opentelemetry.io/otel/trace v1.16.0 h1:8JRpaObFoW0pxuVPapkgH8UhHQj+bJW8jJsCZEu5MQs= -go.opentelemetry.io/otel/trace v1.16.0/go.mod h1:Yt9vYq1SdNz3xdjZZK7wcXv1qv2pwLkqr2QVwea0ef0= +go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg= +go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v0.9.0/go.mod h1:1vKfU9rv61e9EVGthD1zNvUbiwPcimSsOPU9brfSHJg= go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= -go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJPI1Nnw= go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= -go.starlark.net v0.0.0-20230302034142-4b1e35fe2254 h1:Ss6D3hLXTM0KobyBYEAygXzFfGcjnmfEJOBgSbemCtg= -go.starlark.net v0.0.0-20230302034142-4b1e35fe2254/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= @@ -2856,6 +2889,8 @@ go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +go.uber.org/dig v1.17.0 h1:5Chju+tUvcC+N7N6EV08BJz41UZuO3BmHcN4A287ZLI= +go.uber.org/dig v1.17.0/go.mod h1:rTxpf7l5I0eBTlE6/9RL+lDybC7WFwY2QH55ZSjy1mU= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= @@ -2876,11 +2911,8 @@ go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= go.uber.org/zap v1.19.1/go.mod h1:j3DNczoxDZroyBnOT1L/Q79cfUMGZxlv/9dzN7SM1rI= -go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= -go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= -go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c= -go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk= -golang.org/x/arch v0.0.0-20180920145803-b19384d3c130/go.mod h1:cYlCBUl1MsqxdiKgmc4uh7TxZfWSFLOGSRR090WDxt8= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180820150726-614d502a4dac/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -2928,17 +2960,12 @@ golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= -golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM= -golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= -golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= -golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= -golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk= -golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= -golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck= -golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= +golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -2955,12 +2982,8 @@ golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EH golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA= golang.org/x/exp v0.0.0-20220827204233-334a2380cb91/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE= -golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc= -golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= -golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 h1:MGwJjxBy0HJshjDNfLsYO8xppfqWlA5ZT9OhtUUhTNw= -golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc= -golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g= -golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k= +golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI= +golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo= golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= @@ -3005,10 +3028,9 @@ golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= -golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= +golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -3067,9 +3089,11 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8= +golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210505024714-0287a6fb4125/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= @@ -3099,23 +3123,14 @@ golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= -golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU= -golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= -golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= -golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= -golang.org/x/net v0.13.0 h1:Nvo8UFsZ8X3BhAC9699Z1j7XQ3rsZnUUm7jfBEk1ueY= -golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= -golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= -golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= -golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8= -golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -3147,14 +3162,8 @@ golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= -golang.org/x/oauth2 v0.9.0 h1:BPpt2kU7oMRq3kCHAA1tbSEshXRw1LpG2ztgDwrzuAs= -golang.org/x/oauth2 v0.9.0/go.mod h1:qYgFZaFiu6Wg24azG8bdV52QJXJGbZzIIsRCdVKzbLw= -golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= -golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= -golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= -golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= -golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= -golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= +golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY= +golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -3173,11 +3182,10 @@ golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= -golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= +golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180903190138-2b024373dcd9/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -3280,6 +3288,7 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -3340,14 +3349,9 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s= -golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= -golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= -golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= -golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.9.1-0.20230616193735-e0c3b6e6ae3b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -3361,14 +3365,8 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.9.0 h1:GRRCnKYhdQrD8kfRAdQ6Zcw1P0OcELxGLKJvtjVMZ28= -golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= -golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= -golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= -golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0= -golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= -golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU= -golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= +golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -3386,12 +3384,6 @@ golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58= -golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= -golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= -golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -3470,7 +3462,6 @@ golang.org/x/tools v0.0.0-20200409170454-77362c5149f0/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200416214402-fc959738d646/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200509030707-2212a7e161a5/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -3496,7 +3487,6 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff/go.mod h1:YD9qOF0M9xpSpdWTBbzEl5e/RnCefISl8E5Noe10jFM= golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= @@ -3506,12 +3496,8 @@ golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= -golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= -golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= -golang.org/x/tools v0.11.0 h1:EMCa6U9S2LtZXLAMoWiR/R8dAQFRqbAitmbJ2UKhoi8= -golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8= -golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= -golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= +golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= +golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -3523,8 +3509,6 @@ golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNq golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU= -gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc= -gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo= @@ -3596,16 +3580,18 @@ google.golang.org/api v0.107.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY= google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= -google.golang.org/api v0.114.0 h1:1xQPji6cO2E2vLiI+C/XiFAnsn1WV3mjaEwGLhi3grE= google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= +google.golang.org/api v0.148.0 h1:HBq4TZlN4/1pNcu0geJZ/Q50vIwIXT532UIMYoo0vOs= +google.golang.org/api v0.148.0/go.mod h1:8/TBgwaKjfqTdacOJrOv2+2Q6fBDU1uHKK06oGSkxzU= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8/go.mod h1:0H1ncTHf11KCFhTc/+EFRbzSCOZx+VUbRMk55Yv5MYk= google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= @@ -3682,7 +3668,6 @@ google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ6 google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220207185906-7721543eae58/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= @@ -3755,26 +3740,18 @@ google.golang.org/genproto v0.0.0-20230320184635-7606e756e683/go.mod h1:NWraEVix google.golang.org/genproto v0.0.0-20230323212658-478b75c54725/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak= google.golang.org/genproto v0.0.0-20230330154414-c0448cd141ea/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak= google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= google.golang.org/genproto v0.0.0-20230525234025-438c736192d0/go.mod h1:9ExIQyXL5hZrHzQceCwuSYwZZ5QZBazOcprJ5rgs3lY= google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk= -google.golang.org/genproto v0.0.0-20230717213848-3f92550aa753 h1:+VoAg+OKmWaommL56xmZSE2sUK8A7m6SUO7X89F2tbw= -google.golang.org/genproto v0.0.0-20230717213848-3f92550aa753/go.mod h1:iqkVr8IRpZ53gx1dEnWlCUIEwDWqWARWrbzpasaTNYM= -google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 h1:L6iMMGrtzgHsWofoFcihmDEMYeDR9KN/ThbPWGrh++g= -google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5/go.mod h1:oH/ZOT02u4kWEp7oYBGYFFkCdKS/uYR9Z7+0/xuuFp8= +google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b h1:+YaDE2r2OG8t/z5qmsh7Y+XXwCbvadxxZ0YY6mTdrVA= +google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:CgAqfJo+Xmu0GwA0411Ht3OU3OntXwsGmrmjI8ioGXI= google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a/go.mod h1:ts19tUU+Z0ZShN1y3aPyq2+O3d5FUNNgT6FtOzmrNn8= google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= -google.golang.org/genproto/googleapis/api v0.0.0-20230717213848-3f92550aa753 h1:lCbbUxUDD+DiXx9Q6F/ttL0aAu7N2pz8XnmMm8ZW4NE= -google.golang.org/genproto/googleapis/api v0.0.0-20230717213848-3f92550aa753/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ= -google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 h1:nIgk/EEq3/YlnmVVXVnm14rC2oxgs1o0ong4sD/rd44= -google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5/go.mod h1:5DZzOUPCLYL3mNkQ0ms0F3EuUNZ7py1Bqeq6sxzI7/Q= +google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b h1:CIC2YMXmIhYw6evmhPxBKJ4fmLbOFtXQN/GV3XOZR8k= +google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870= google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234015-3fc162c6f38a/go.mod h1:xURIpW9ES5+/GZhnV6beoEtxQrnkRGIfP5VQG2tCBLc= google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230717213848-3f92550aa753 h1:XUODHrpzJEUeWmVo/jfNTLj0YyVveOo28oE6vkFbkO4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230717213848-3f92550aa753/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 h1:o4LtQxebKIJ4vkzyhtD2rfUNZ20Zf0ik5YVP5E7G7VE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b h1:ZlWIi1wSK56/8hn4QcBp/j9M7Gt3U/3hZw3mC7vDICo= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc= google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= @@ -3823,12 +3800,8 @@ google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCD google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww= google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw= google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= -google.golang.org/grpc v1.56.1 h1:z0dNfjIl0VpaZ9iSVjA6daGatAYwPGstTjt5vkRMFkQ= -google.golang.org/grpc v1.56.1/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= -google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI= -google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= -google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw= -google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo= +google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= +google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -3871,6 +3844,7 @@ gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= +gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/jcmturner/goidentity.v3 v3.0.0/go.mod h1:oG2kH0IvSYNIu80dVAyu/yoefjq1mNfM5bm88whjWx4= gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= @@ -3882,7 +3856,6 @@ gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76 gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= -gopkg.in/src-d/go-billy.v4 v4.3.0/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -3905,8 +3878,8 @@ gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +gotest.tools/v3 v3.2.0 h1:I0DwBVMGAx26dttAj1BtJLAkVGncrkkUXfJLC4Flt/I= gotest.tools/v3 v3.2.0/go.mod h1:Mcr9QNxkg0uMvy/YElmo4SpXgJKWgQvYrT7Kw5RzJ1A= -gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -3915,78 +3888,24 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= -k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs= -k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y= -k8s.io/api v0.28.0 h1:3j3VPWmN9tTDI68NETBWlDiA9qOiGJ7sdKeufehBYsM= -k8s.io/api v0.28.0/go.mod h1:0l8NZJzB0i/etuWnIXcwfIv+xnDOhL3lLW919AWYDuY= -k8s.io/api v0.28.1 h1:i+0O8k2NPBCPYaMB+uCkseEbawEt/eFaiRqUx8aB108= -k8s.io/api v0.28.1/go.mod h1:uBYwID+66wiL28Kn2tBjBYQdEU0Xk0z5qF8bIBqk/Dg= -k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw= -k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg= -k8s.io/apiextensions-apiserver v0.27.4 h1:ie1yZG4nY/wvFMIR2hXBeSVq+HfNzib60FjnBYtPGSs= -k8s.io/apiextensions-apiserver v0.27.4/go.mod h1:KHZaDr5H9IbGEnSskEUp/DsdXe1hMQ7uzpQcYUFt2bM= -k8s.io/apiextensions-apiserver v0.28.0 h1:CszgmBL8CizEnj4sj7/PtLGey6Na3YgWyGCPONv7E9E= -k8s.io/apiextensions-apiserver v0.28.0/go.mod h1:uRdYiwIuu0SyqJKriKmqEN2jThIJPhVmOWETm8ud1VE= -k8s.io/apiextensions-apiserver v0.28.1 h1:l2ThkBRjrWpw4f24uq0Da2HaEgqJZ7pcgiEUTKSmQZw= -k8s.io/apiextensions-apiserver v0.28.1/go.mod h1:sVvrI+P4vxh2YBBcm8n2ThjNyzU4BQGilCQ/JAY5kGs= -k8s.io/apiextensions-apiserver v0.28.2 h1:J6/QRWIKV2/HwBhHRVITMLYoypCoPY1ftigDM0Kn+QU= -k8s.io/apiextensions-apiserver v0.28.2/go.mod h1:5tnkxLGa9nefefYzWuAlWZ7RZYuN/765Au8cWLA6SRg= -k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs= -k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= -k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA= -k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw= -k8s.io/apimachinery v0.28.1 h1:EJD40og3GizBSV3mkIoXQBsws32okPOy+MkRyzh6nPY= -k8s.io/apimachinery v0.28.1/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw= -k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ= -k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU= -k8s.io/apiserver v0.27.4 h1:ncZ0MBR9yQ/Gf34rtu1EK+HqT8In1YpfAUINu/Akvho= -k8s.io/apiserver v0.27.4/go.mod h1:GDEFRfFZ4/l+pAvwYRnoSfz0K4j3TWiN4WsG2KnRteE= -k8s.io/apiserver v0.28.0 h1:wVh7bK6Xj7hq+5ntInysTeQRAOqqFoKGUOW2yj8DXrY= -k8s.io/apiserver v0.28.0/go.mod h1:MvLmtxhQ0Tb1SZk4hfJBjs8iqr5nhYeaFSaoEcz7Lk4= -k8s.io/apiserver v0.28.1 h1:dw2/NKauDZCnOUAzIo2hFhtBRUo6gQK832NV8kuDbGM= -k8s.io/apiserver v0.28.1/go.mod h1:d8aizlSRB6yRgJ6PKfDkdwCy2DXt/d1FDR6iJN9kY1w= -k8s.io/apiserver v0.28.2 h1:rBeYkLvF94Nku9XfXyUIirsVzCzJBs6jMn3NWeHieyI= -k8s.io/apiserver v0.28.2/go.mod h1:f7D5e8wH8MWcKD7azq6Csw9UN+CjdtXIVQUyUhrtb+E= -k8s.io/cli-runtime v0.27.4 h1:Zb0eci+58eHZNnoHhjRFc7W88s8dlG12VtIl3Nv2Hto= -k8s.io/cli-runtime v0.27.4/go.mod h1:k9Z1xiZq2xNplQmehpDquLgc+rE+pubpO1cK4al4Mlw= -k8s.io/cli-runtime v0.28.0 h1:Tcz1nnccXZDNIzoH6EwjCs+7ezkUGhorzCweEvlVOFg= -k8s.io/cli-runtime v0.28.0/go.mod h1:U+ySmOKBm/JUCmebhmecXeTwNN1RzI7DW4+OM8Oryas= -k8s.io/cli-runtime v0.28.1 h1:7Njc4eD5kaO4tYdSYVJJEs54koYD/vT6gxOq8dEVf9g= -k8s.io/cli-runtime v0.28.1/go.mod h1:yIThSWkAVLqeRs74CMkq6lNFW42GyJmvMtcNn01SZho= -k8s.io/cli-runtime v0.28.2 h1:64meB2fDj10/ThIMEJLO29a1oujSm0GQmKzh1RtA/uk= -k8s.io/cli-runtime v0.28.2/go.mod h1:bTpGOvpdsPtDKoyfG4EG041WIyFZLV9qq4rPlkyYfDA= -k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk= -k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc= -k8s.io/client-go v0.28.0 h1:ebcPRDZsCjpj62+cMk1eGNX1QkMdRmQ6lmz5BLoFWeM= -k8s.io/client-go v0.28.0/go.mod h1:0Asy9Xt3U98RypWJmU1ZrRAGKhP6NqDPmptlAzK2kMc= -k8s.io/client-go v0.28.1 h1:pRhMzB8HyLfVwpngWKE8hDcXRqifh1ga2Z/PU9SXVK8= -k8s.io/client-go v0.28.1/go.mod h1:pEZA3FqOsVkCc07pFVzK076R+P/eXqsgx5zuuRWukNE= -k8s.io/client-go v0.28.2 h1:DNoYI1vGq0slMBN/SWKMZMw0Rq+0EQW6/AK4v9+3VeY= -k8s.io/client-go v0.28.2/go.mod h1:sMkApowspLuc7omj1FOSUxSoqjr+d5Q0Yc0LOFnYFJY= -k8s.io/code-generator v0.27.4/go.mod h1:DPung1sI5vBgn4AGKtlPRQAyagj/ir/4jI55ipZHVww= -k8s.io/code-generator v0.28.0/go.mod h1:ueeSJZJ61NHBa0ccWLey6mwawum25vX61nRZ6WOzN9A= -k8s.io/code-generator v0.28.1/go.mod h1:ueeSJZJ61NHBa0ccWLey6mwawum25vX61nRZ6WOzN9A= -k8s.io/code-generator v0.28.2/go.mod h1:ueeSJZJ61NHBa0ccWLey6mwawum25vX61nRZ6WOzN9A= -k8s.io/component-base v0.27.4 h1:Wqc0jMKEDGjKXdae8hBXeskRP//vu1m6ypC+gwErj4c= -k8s.io/component-base v0.27.4/go.mod h1:hoiEETnLc0ioLv6WPeDt8vD34DDeB35MfQnxCARq3kY= -k8s.io/component-base v0.28.0 h1:HQKy1enJrOeJlTlN4a6dU09wtmXaUvThC0irImfqyxI= -k8s.io/component-base v0.28.0/go.mod h1:Yyf3+ZypLfMydVzuLBqJ5V7Kx6WwDr/5cN+dFjw1FNk= -k8s.io/component-base v0.28.1 h1:LA4AujMlK2mr0tZbQDZkjWbdhTV5bRyEyAFe0TJxlWg= -k8s.io/component-base v0.28.1/go.mod h1:jI11OyhbX21Qtbav7JkhehyBsIRfnO8oEgoAR12ArIU= -k8s.io/component-base v0.28.2 h1:Yc1yU+6AQSlpJZyvehm/NkJBII72rzlEsd6MkBQ+G0E= -k8s.io/component-base v0.28.2/go.mod h1:4IuQPQviQCg3du4si8GpMrhAIegxpsgPngPRR/zWpzc= -k8s.io/component-helpers v0.27.4 h1:l1hn/Zx9mWXflo5xz1mo5RRW2g8b6rptWCG7My6rYoE= -k8s.io/component-helpers v0.27.4/go.mod h1:ayW5btpTdJkVv+CcxhzNRfWT+oPrV6T6qZ1Ay6NEJNI= -k8s.io/component-helpers v0.28.0 h1:ubHUiEF7H/DOx4471pHHsLlH3EGu8jlEvnld5PS4KdI= -k8s.io/component-helpers v0.28.0/go.mod h1:i7hJ/oFhZImqUWwjLFG/yGkLpJ3KFoirY2DLYIMql6Q= -k8s.io/component-helpers v0.28.1 h1:ts/vykhyUmPLhUl/hdLdf+a4BWA0giQ3f25HAIhl+RI= -k8s.io/component-helpers v0.28.1/go.mod h1:rHFPj33uXNbgppg+ilmjJ4oR73prZQNRRmg+utVOAb0= -k8s.io/component-helpers v0.28.2 h1:r/XJ265PMirW9EcGXr/F+2yWrLPo2I69KdvcY/h9HAo= -k8s.io/component-helpers v0.28.2/go.mod h1:pF1R5YWQ+sgf0i6EbVm+MQCzkYuqutDUibdrkvAa6aI= -k8s.io/cri-api v0.27.4/go.mod h1:+Ts/AVYbIo04S86XbTD73UPp/DkTiYxtsFeOFEu32L0= -k8s.io/cri-api v0.28.0/go.mod h1:xXygwvSOGcT/2KXg8sMYTHns2xFem3949kCQn5IS1k4= -k8s.io/cri-api v0.28.1/go.mod h1:xXygwvSOGcT/2KXg8sMYTHns2xFem3949kCQn5IS1k4= -k8s.io/cri-api v0.28.2/go.mod h1:xXygwvSOGcT/2KXg8sMYTHns2xFem3949kCQn5IS1k4= +k8s.io/api v0.28.3 h1:Gj1HtbSdB4P08C8rs9AR94MfSGpRhJgsS+GF9V26xMM= +k8s.io/api v0.28.3/go.mod h1:MRCV/jr1dW87/qJnZ57U5Pak65LGmQVkKTzf3AtKFHc= +k8s.io/apiextensions-apiserver v0.28.3 h1:Od7DEnhXHnHPZG+W9I97/fSQkVpVPQx2diy+2EtmY08= +k8s.io/apiextensions-apiserver v0.28.3/go.mod h1:NE1XJZ4On0hS11aWWJUTNkmVB03j9LM7gJSisbRt8Lc= +k8s.io/apimachinery v0.28.3 h1:B1wYx8txOaCQG0HmYF6nbpU8dg6HvA06x5tEffvOe7A= +k8s.io/apimachinery v0.28.3/go.mod h1:uQTKmIqs+rAYaq+DFaoD2X7pcjLOqbQX2AOiO0nIpb8= +k8s.io/apiserver v0.28.3 h1:8Ov47O1cMyeDzTXz0rwcfIIGAP/dP7L8rWbEljRcg5w= +k8s.io/apiserver v0.28.3/go.mod h1:YIpM+9wngNAv8Ctt0rHG4vQuX/I5rvkEMtZtsxW2rNM= +k8s.io/cli-runtime v0.28.3 h1:lvuJYVkwCqHEvpS6KuTZsUVwPePFjBfSGvuaLl2SxzA= +k8s.io/cli-runtime v0.28.3/go.mod h1:jeX37ZPjIcENVuXDDTskG3+FnVuZms5D9omDXS/2Jjc= +k8s.io/client-go v0.28.3 h1:2OqNb72ZuTZPKCl+4gTKvqao0AMOl9f3o2ijbAj3LI4= +k8s.io/client-go v0.28.3/go.mod h1:LTykbBp9gsA7SwqirlCXBWtK0guzfhpoW4qSm7i9dxo= +k8s.io/code-generator v0.28.3/go.mod h1:A2EAHTRYvCvBrb/MM2zZBNipeCk3f8NtpdNIKawC43M= +k8s.io/component-base v0.28.3 h1:rDy68eHKxq/80RiMb2Ld/tbH8uAE75JdCqJyi6lXMzI= +k8s.io/component-base v0.28.3/go.mod h1:fDJ6vpVNSk6cRo5wmDa6eKIG7UlIQkaFmZN2fYgIUD8= +k8s.io/component-helpers v0.28.3 h1:te9ieTGzcztVktUs92X53P6BamAoP73MK0qQP0WmDqc= +k8s.io/component-helpers v0.28.3/go.mod h1:oJR7I9ist5UAQ3y/CTdbw6CXxdMZ1Lw2Ua/EZEwnVLs= +k8s.io/cri-api v0.28.3/go.mod h1:MTdJO2fikImnX+YzE2Ccnosj3Hw2Cinw2fXYV3ppUIE= k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= @@ -3995,77 +3914,32 @@ k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= -k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.60.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kms v0.27.4 h1:FeT17HfqxZMP7dTq3Gpa9dG05iP3J3wgGtqGh1SUoN0= -k8s.io/kms v0.27.4/go.mod h1:0BY6tkfa+zOP85u8yE7iNNf1Yx7rEZnRQSWLEbsSk+w= -k8s.io/kms v0.28.0 h1:BwJhU9qPcJhHLUcQjtelOSjYti+1/caJLr+4jHbKzTA= -k8s.io/kms v0.28.0/go.mod h1:CNU792ls92v2Ye7Vn1jn+xLqYtUSezDZNVu6PLbJyrU= -k8s.io/kms v0.28.1 h1:QLNTIc0k7Yebkt9yobj9Y9qBoRCMB4dq+pFCxVXVBnY= -k8s.io/kms v0.28.1/go.mod h1:I2TwA8oerDRInHWWBOqSUzv1EJDC1+55FQKYkxaPxh0= -k8s.io/kms v0.28.2 h1:KhG63LHopCdzs1oKA1j+NWleuIXudgOyCqJo4yi3GaM= -k8s.io/kms v0.28.2/go.mod h1:iAjgIqBrV2+8kmsjbbgUkAyKSuYq5g1dW9knpt6OhaE= -k8s.io/kube-aggregator v0.27.4 h1:WdK9iiBr32G8bWfpUEFVQl70RZO2dU19ZAktUXL5JFc= -k8s.io/kube-aggregator v0.27.4/go.mod h1:+eG83gkAyh0uilQEAOgheeQW4hr+PkyV+5O1nLGsjlM= -k8s.io/kube-aggregator v0.28.0 h1:8uH1SoRLlDdhdaW64eAK1BDWUXr2jLtVhiShysTzcok= -k8s.io/kube-aggregator v0.28.0/go.mod h1:wD7UarSU4HRyeDUIZLEHpvXNqL613w59yaM7ctjYapA= -k8s.io/kube-aggregator v0.28.1 h1:rvG4llYnQKHjj6YjjoBPEJxfD1uH0DJwkrJTNKGAaCs= -k8s.io/kube-aggregator v0.28.1/go.mod h1:JaLizMe+AECSpO2OmrWVsvnG0V3dX1RpW+Wq/QHbu18= -k8s.io/kube-aggregator v0.28.2 h1:tCjAfB1p/v18yD2NpegNQRuahzyA/szFfcRARnpjDeo= -k8s.io/kube-aggregator v0.28.2/go.mod h1:g4hZVjC4KhJtZHV2pyiRBiU6AdBA/sAjh9Y9GJC/SbU= +k8s.io/kms v0.28.3 h1:jYwwAe96XELNjYWv1G4kNzizcFoZ50OOElvPansbw70= +k8s.io/kms v0.28.3/go.mod h1:kSMjU2tg7vjqqoWVVCcmPmNZ/CofPsoTbSxAipCvZuE= +k8s.io/kube-aggregator v0.28.3 h1:CVbj3+cpshSHR5dWPzLYx3sVpIDEPLlzMSxY/lAc9cM= +k8s.io/kube-aggregator v0.28.3/go.mod h1:5DyLevbRTcWnT1f9b+lB3BfbXC1w7gDa/OtB6kKInCw= k8s.io/kube-openapi v0.0.0-20180731170545-e3762e86a74c/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= -k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= -k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5 h1:azYPdzztXxPSa8wb+hksEKayiz0o+PPisO/d+QhWnoo= -k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5/go.mod h1:kzo02I3kQ4BTtEfVLaPbjvCkX97YqGve33wzlb3fofQ= -k8s.io/kube-openapi v0.0.0-20230525220651-2546d827e515 h1:OmK1d0WrkD3IPfkskvroRykOulHVHf0s0ZIFRjyt+UI= -k8s.io/kube-openapi v0.0.0-20230525220651-2546d827e515/go.mod h1:kzo02I3kQ4BTtEfVLaPbjvCkX97YqGve33wzlb3fofQ= -k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= -k8s.io/kube-openapi v0.0.0-20230718181711-3c0fae5ee9fd h1:0tN7VkdcfPGfii8Zl0edopOV08M6XxGlhO29AsPkBHw= -k8s.io/kube-openapi v0.0.0-20230718181711-3c0fae5ee9fd/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= -k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f h1:eeEUOoGYWhOz7EyXqhlR2zHKNw2mNJ9vzJmub6YN6kk= -k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= -k8s.io/kubectl v0.27.4 h1:RV1TQLIbtL34+vIM+W7HaS3KfAbqvy9lWn6pWB9els4= -k8s.io/kubectl v0.27.4/go.mod h1:qtc1s3BouB9KixJkriZMQqTsXMc+OAni6FeKAhq7q14= -k8s.io/kubectl v0.28.0 h1:qhfju0OaU+JGeBlToPeeIg2UJUWP++QwTkpio6nlPKg= -k8s.io/kubectl v0.28.0/go.mod h1:1We+E5nSX3/TVoSQ6y5Bzld5OhTBHZHlKEYl7g/NaTk= -k8s.io/kubectl v0.28.1 h1:jAq4yKEqQL+fwkWcEsUWxhJ7uIRcOYQraJxx4SyAMTY= -k8s.io/kubectl v0.28.1/go.mod h1:a0nk/lMMeKBulp0lMTJAKbkjZg1ykqfLfz/d6dnv1ak= -k8s.io/kubectl v0.28.2 h1:fOWOtU6S0smdNjG1PB9WFbqEIMlkzU5ahyHkc7ESHgM= -k8s.io/kubectl v0.28.2/go.mod h1:6EQWTPySF1fn7yKoQZHYf9TPwIl2AygHEcJoxFekr64= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/kubectl v0.28.3 h1:H1Peu1O3EbN9zHkJCcvhiJ4NUj6lb88sGPO5wrWIM6k= +k8s.io/kubectl v0.28.3/go.mod h1:RDAudrth/2wQ3Sg46fbKKl4/g+XImzvbsSRZdP2RiyE= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= -k8s.io/kubernetes v1.27.4 h1:js5bonPoe7jgVPduNcWo6IjPTUdLzlnfhRgGmC7isM0= -k8s.io/kubernetes v1.27.4/go.mod h1:MbYZxAacYS6HjZ6VJuvKaKTilbzp0B0atzW3J8TFBEo= -k8s.io/kubernetes v1.28.0 h1:p8qq/VoNHnBWinLEi5LO2IvCfzFouN7Jhdz8+L++V+U= -k8s.io/kubernetes v1.28.0/go.mod h1:rBQpjGYlLBV0KuOLw8EG45N5EBCskWiPpi0xy5liHMI= -k8s.io/kubernetes v1.28.1 h1:ZQuukGbpVjSbMypkjNErpbsSHni6RPgoqz+2zDBsuMY= -k8s.io/kubernetes v1.28.1/go.mod h1:rBQpjGYlLBV0KuOLw8EG45N5EBCskWiPpi0xy5liHMI= -k8s.io/kubernetes v1.28.2 h1:GhcnYeNTukeaC0dD5BC+UWBvzQsFEpWj7XBVMQptfYc= -k8s.io/kubernetes v1.28.2/go.mod h1:FmB1Mlp9ua0ezuwQCTGs/y6wj/fVisN2sVxhzjj0WDk= -k8s.io/metrics v0.27.4 h1:2s04bods7rA507iouGbxD55YrKNlFjLYzm30noOl9Sk= -k8s.io/metrics v0.27.4/go.mod h1:kRvfhFC7wCQEFvu6H92uiV7v05z3Ty/vtluYT5D2Xpk= -k8s.io/metrics v0.28.0 h1:rO+zfTT2A5GvCdRD44vFAQgdz8Sa6OMsNYkEGpBQz0k= -k8s.io/metrics v0.28.0/go.mod h1:0RSSFOwf1qlDU54bLMDEDa81cz02mNlG4mxitIRsQCs= -k8s.io/metrics v0.28.1 h1:Q0AsAEZKlAzhqrvfoGyHjz2qAFlef0SqfGJ1YWJ+ITU= -k8s.io/metrics v0.28.1/go.mod h1:8lKkAajigcZWu0o9XCEBr++YVCzT48q1ck+f9CEBhZY= -k8s.io/metrics v0.28.2 h1:Z/oMk5SmiT/Ji1SaWOPfW2l9W831BLO9/XxDq9iS3ak= -k8s.io/metrics v0.28.2/go.mod h1:QTIIdjMrq+KodO+rmp6R9Pr1LZO8kTArNtkWoQXw0sw= +k8s.io/kubernetes v1.28.3 h1:XTci6gzk+JR51UZuZQCFJ4CsyUkfivSjLI4O1P9z6LY= +k8s.io/kubernetes v1.28.3/go.mod h1:NhAysZWvHtNcJFFHic87ofxQN7loylCQwg3ZvXVDbag= +k8s.io/metrics v0.28.3 h1:w2s3kVi7HulXqCVDFkF4hN/OsL1tXTTb4Biif995h/g= +k8s.io/metrics v0.28.3/go.mod h1:OZZ23AHFojPzU6r3xoHGRUcV3I9pauLua+07sAUbwLc= k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -k8s.io/utils v0.0.0-20230505201702-9f6742963106 h1:EObNQ3TW2D+WptiYXlApGNLVy0zm/JIBVY9i+M4wpAU= -k8s.io/utils v0.0.0-20230505201702-9f6742963106/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -k8s.io/utils v0.0.0-20230711102312-30195339c3c7 h1:ZgnF1KZsYxWIifwSNZFZgNtWE89WI5yiP5WwlfDoIyc= -k8s.io/utils v0.0.0-20230711102312-30195339c3c7/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= layeh.com/radius v0.0.0-20190322222518-890bc1058917/go.mod h1:fywZKyu//X7iRzaxLgPWsvc0L26IUpVvE/aeIL2JtIQ= @@ -4105,6 +3979,7 @@ modernc.org/token v1.0.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= modernc.org/z v1.5.1/go.mod h1:eWFB510QWW5Th9YGZT81s+LwvaAs3Q2yr4sP0rmLkv8= mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48= nhooyr.io/websocket v1.8.7 h1:usjR2uOr/zjjkVMy0lW+PPohFok7PCow5sDjLgX4P4g= +nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= @@ -4113,39 +3988,27 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2/go.mod h1:+qG7ISX sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.3 h1:I3qQxpzWFcsU7IV/MENc5x125HxRtchsNPtE6Pu+bBc= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.3/go.mod h1:e7I0gvW7fYKOqZDDsvaETBEyfM4dXh6DQ/SsqNInVC0= sigs.k8s.io/controller-runtime v0.2.2/go.mod h1:9dyohw3ZtoXQuV1e766PHUn+cmrRCIcBh6XIMFNMZ+I= -sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU= -sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= -sigs.k8s.io/controller-runtime v0.15.1 h1:9UvgKD4ZJGcj24vefUFgZFP3xej/3igL9BsOUTb/+4c= -sigs.k8s.io/controller-runtime v0.15.1/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= -sigs.k8s.io/controller-runtime v0.16.1 h1:+15lzrmHsE0s2kNl0Dl8cTchI5Cs8qofo5PGcPrV9z0= -sigs.k8s.io/controller-runtime v0.16.1/go.mod h1:vpMu3LpI5sYWtujJOa2uPK61nB5rbwlN7BAB8aSLvGU= -sigs.k8s.io/gateway-api v0.7.0 h1:/mG8yyJNBifqvuVLW5gwlI4CQs0NR/5q4BKUlf1bVdY= -sigs.k8s.io/gateway-api v0.7.0/go.mod h1:Xv0+ZMxX0lu1nSSDIIPEfbVztgNZ+3cfiYrJsa2Ooso= +sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4= +sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= sigs.k8s.io/gateway-api v0.8.0 h1:isQQ3Jx2qFP7vaA3ls0846F0Amp9Eq14P08xbSwVbQg= sigs.k8s.io/gateway-api v0.8.0/go.mod h1:okOnjPNBFbIS/Rw9kAhuIUaIkLhTKEu+ARIuXk2dgaM= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/api v0.13.4 h1:E38Hfx0G9R9v7vRgKshviPotJQETG0S2gD3JdHLCAsI= -sigs.k8s.io/kustomize/api v0.13.4/go.mod h1:Bkaavz5RKK6ZzP0zgPrB7QbpbBJKiHuD3BB0KujY7Ls= sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0= sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY= -sigs.k8s.io/kustomize/kustomize/v5 v5.0.3 h1:3krCsUOkGhECi/uP8eZ2e6nR9i/ht+5xIdXeg12Pso4= -sigs.k8s.io/kustomize/kustomize/v5 v5.0.3/go.mod h1:FuozO28O7PGQkoO8kFLKylg1rlfFkJj0J1CyAUcBdk4= sigs.k8s.io/kustomize/kustomize/v5 v5.0.4-0.20230601165947-6ce0bf390ce3 h1:vq2TtoDcQomhy7OxXLUOzSbHMuMYq0Bjn93cDtJEdKw= sigs.k8s.io/kustomize/kustomize/v5 v5.0.4-0.20230601165947-6ce0bf390ce3/go.mod h1:/d88dHCvoy7d0AKFT0yytezSGZKjsZBVs9YTkBHSGFk= -sigs.k8s.io/kustomize/kyaml v0.14.2 h1:9WSwztbzwGszG1bZTziQUmVMrJccnyrLb5ZMKpJGvXw= -sigs.k8s.io/kustomize/kyaml v0.14.2/go.mod h1:AN1/IpawKilWD7V+YvQwRGUvuUOOWpjsHu6uHwonSF4= sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 h1:W6cLQc5pnqM7vh3b7HvGNfXrJ/xL6BDMS0v1V/HHg5U= sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3/go.mod h1:JWP1Fj0VWGHyw3YUPjXSQnRnrwezrZSrApfX5S0nIag= sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= -sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= -sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/structured-merge-diff/v4 v4.4.0 h1:ZNWce/g8uFW41cK9XYCj7RRt6919IWznPZ2VOCuHLjg= +sigs.k8s.io/structured-merge-diff/v4 v4.4.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/testing_frameworks v0.1.1/go.mod h1:VVBKrHmJ6Ekkfz284YKhQePcdycOzNH9qL6ht1zEr/U= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/k8s/amour/BUILD.bazel b/k8s/amour/BUILD.bazel index a8277f826..059595357 100644 --- a/k8s/amour/BUILD.bazel +++ b/k8s/amour/BUILD.bazel @@ -25,6 +25,8 @@ cue_export( "//k8s/amour/cert_manager:cue_cert_manager_library", "//k8s/amour/cert_manager_csi_driver:cue_cert_manager_csi_driver_library", "//k8s/amour/cilium:cue_cilium_library", + "//k8s/amour/external_secrets:cue_external_secrets_library", + "//k8s/amour/grafana:cue_grafana_library", "//k8s/amour/intel_gpu_plugin:cue_intel_gpu_plugin_library", "//k8s/amour/kube_state_metrics:cue_kube_state_metrics_library", "//k8s/amour/kube_system:cue_kube_system_library", @@ -32,8 +34,8 @@ cue_export( "//k8s/amour/node_feature_discovery:cue_node_feature_discovery_library", "//k8s/amour/node_problem_detector:cue_node_problem_detector_library", "//k8s/amour/onepassword_connect:cue_onepassword_connect_library", - "//k8s/amour/onepassword_operator:cue_onepassword_operator_library", "//k8s/amour/rook_ceph:cue_rook_ceph_library", + "//k8s/amour/snapshot_controller:cue_snapshot_controller_library", "//k8s/amour/thomas:cue_thomas_library", "//k8s/amour/vm:cue_vm_library", "//k8s/amour/vm_operator:cue_vm_operator_library", @@ -44,11 +46,13 @@ cue_library( name = "cue_amour_library", srcs = [ "apply_set_list.cue", + "cluster_secret_store_list.cue", "custom_resource_definition_list.cue", ], importpath = "github.com/uhthomas/automata/k8s/amour", visibility = ["//visibility:public"], deps = [ + "//cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1:cue_v1beta1_library", "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library", "//cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1:cue_v1_library", ], diff --git a/k8s/amour/cluster_secret_store_list.cue b/k8s/amour/cluster_secret_store_list.cue new file mode 100644 index 000000000..5591c1413 --- /dev/null +++ b/k8s/amour/cluster_secret_store_list.cue @@ -0,0 +1,25 @@ +package amour + +import externalsecretsv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1" + +#ClusterSecretStoreList: externalsecretsv1beta1.#ClusterSecretStoreList & { + apiVersion: "external-secrets.io/v1beta1" + kind: "ClusterSecretStoreList" + items: [...{ + apiVersion: "external-secrets.io/v1beta1" + kind: "ClusterSecretStore" + }] +} + +#ClusterSecretStoreList: items: [{ + metadata: name: "onepassword" + spec: provider: onepassword: { + connectHost: "http://onepassword-connect.onepassword-connect:8080" + vaults: amour: 1 + auth: secretRef: connectTokenSecretRef: { + name: "onepassword-connect-token" + namespace: "onepassword-connect" + key: "token" + } + } +}] diff --git a/k8s/amour/onepassword_operator/BUILD.bazel b/k8s/amour/external_secrets/BUILD.bazel similarity index 69% rename from k8s/amour/onepassword_operator/BUILD.bazel rename to k8s/amour/external_secrets/BUILD.bazel index 334b149a3..173b70ccf 100644 --- a/k8s/amour/onepassword_operator/BUILD.bazel +++ b/k8s/amour/external_secrets/BUILD.bazel @@ -1,31 +1,31 @@ load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_export", "cue_library") cue_library( - name = "cue_onepassword_operator_library", + name = "cue_external_secrets_library", srcs = [ - "cilium_network_policy_list.cue", "cluster_role_binding_list.cue", "cluster_role_list.cue", "custom_resource_definition_list.cue", "deployment_list.cue", "list.cue", "namespace_list.cue", - "secret_list.cue", + "role_binding_list.cue", + "role_list.cue", "service_account_list.cue", ], - importpath = "github.com/uhthomas/automata/k8s/amour/onepassword_operator", + importpath = "github.com/uhthomas/automata/k8s/amour/external_secrets", visibility = ["//visibility:public"], deps = [ - "//cue.mod/gen/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2:cue_v2_library", "//cue.mod/gen/k8s.io/api/apps/v1:cue_v1_library", "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library", "//cue.mod/gen/k8s.io/api/rbac/v1:cue_v1_library", "//cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1:cue_v1_library", + "//k8s/amour/external_secrets/webhook:cue_webhook_library", ], ) cue_export( - name = "a", - src = "a.cue", + name = "external_secrets", + src = "external-secrets.cue", visibility = ["//visibility:public"], ) diff --git a/k8s/amour/onepassword_secrets_injector/cluster_role_binding_list.cue b/k8s/amour/external_secrets/cluster_role_binding_list.cue similarity index 76% rename from k8s/amour/onepassword_secrets_injector/cluster_role_binding_list.cue rename to k8s/amour/external_secrets/cluster_role_binding_list.cue index 5e1fdc161..86f66ea54 100644 --- a/k8s/amour/onepassword_secrets_injector/cluster_role_binding_list.cue +++ b/k8s/amour/external_secrets/cluster_role_binding_list.cue @@ -1,4 +1,4 @@ -package onepassword_secrets_injector +package external_secrets import rbacv1 "k8s.io/api/rbac/v1" @@ -12,14 +12,15 @@ import rbacv1 "k8s.io/api/rbac/v1" } #ClusterRoleBindingList: items: [{ - subjects: [{ - kind: rbacv1.#ServiceAccountKind - name: #Name - namespace: #Namespace - }] + metadata: name: "external-secrets-controller" roleRef: { apiGroup: rbacv1.#GroupName kind: "ClusterRole" - name: #Name + name: "external-secrets-controller" } + subjects: [{ + name: "external-secrets" + namespace: #Namespace + kind: rbacv1.#ServiceAccountKind + }] }] diff --git a/k8s/amour/external_secrets/cluster_role_list.cue b/k8s/amour/external_secrets/cluster_role_list.cue new file mode 100644 index 000000000..3bea357e0 --- /dev/null +++ b/k8s/amour/external_secrets/cluster_role_list.cue @@ -0,0 +1,101 @@ +package external_secrets + +import ( + rbacv1 "k8s.io/api/rbac/v1" + "k8s.io/api/core/v1" +) + +#ClusterRoleList: rbacv1.#ClusterRoleList & { + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "ClusterRoleList" + items: [...{ + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "ClusterRole" + }] +} + +#ClusterRoleList: items: [{ + metadata: name: "external-secrets-controller" + rules: [{ + apiGroups: ["external-secrets.io"] + resources: ["secretstores", "clustersecretstores", "externalsecrets", "clusterexternalsecrets", "pushsecrets"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["external-secrets.io"] + resources: ["externalsecrets", "externalsecrets/status", "externalsecrets/finalizers", "secretstores", "secretstores/status", "secretstores/finalizers", "clustersecretstores", "clustersecretstores/status", "clustersecretstores/finalizers", "clusterexternalsecrets", "clusterexternalsecrets/status", "clusterexternalsecrets/finalizers", "pushsecrets", "pushsecrets/status", "pushsecrets/finalizers"] + verbs: ["update", "patch"] + }, { + apiGroups: ["generators.external-secrets.io"] + resources: ["acraccesstokens", "ecrauthorizationtokens", "fakes", "gcraccesstokens", "passwords", "vaultdynamicsecrets"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: [v1.#GroupName] + resources: ["serviceaccounts", "namespaces"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: [v1.#GroupName] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: [v1.#GroupName] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] + }, { + apiGroups: [v1.#GroupName] + resources: ["serviceaccounts/token"] + verbs: ["create"] + }, { + apiGroups: [v1.#GroupName] + resources: ["events"] + verbs: ["create", "patch"] + }, { + apiGroups: ["external-secrets.io"] + resources: ["externalsecrets"] + verbs: ["create", "update", "delete"] + }] +}, { + metadata: { + name: "external-secrets-view" + labels: { + "rbac.authorization.k8s.io/aggregate-to-admin": "true" + "rbac.authorization.k8s.io/aggregate-to-edit": "true" + "rbac.authorization.k8s.io/aggregate-to-view": "true" + } + } + rules: [{ + apiGroups: ["external-secrets.io"] + resources: ["externalsecrets", "secretstores", "clustersecretstores", "pushsecrets"] + verbs: ["get", "watch", "list"] + }, { + apiGroups: ["generators.external-secrets.io"] + resources: ["acraccesstokens", "ecrauthorizationtokens", "fakes", "gcraccesstokens", "passwords", "vaultdynamicsecrets"] + verbs: ["get", "watch", "list"] + }] +}, { + metadata: { + name: "external-secrets-edit" + labels: { + "rbac.authorization.k8s.io/aggregate-to-admin": "true" + "rbac.authorization.k8s.io/aggregate-to-edit": "true" + } + } + rules: [{ + apiGroups: ["external-secrets.io"] + resources: ["externalsecrets", "secretstores", "clustersecretstores", "pushsecrets"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + }, { + apiGroups: ["generators.external-secrets.io"] + resources: ["acraccesstokens", "ecrauthorizationtokens", "fakes", "gcraccesstokens", "passwords", "vaultdynamicsecrets"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + }] +}, { + metadata: { + name: "external-secrets-servicebindings" + labels: "servicebinding.io/controller": "true" + } + rules: [{ + apiGroups: ["external-secrets.io"] + resources: ["externalsecrets"] + verbs: ["get", "list", "watch"] + }] +}] diff --git a/k8s/amour/external_secrets/custom_resource_definition_list.cue b/k8s/amour/external_secrets/custom_resource_definition_list.cue new file mode 100644 index 000000000..0e664a31a --- /dev/null +++ b/k8s/amour/external_secrets/custom_resource_definition_list.cue @@ -0,0 +1,10230 @@ +package external_secrets + +import apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + +#CustomResourceDefinitionList: apiextensionsv1.#CustomResourceDefinitionList & { + apiVersion: "apiextensions.k8s.io/v1" + kind: "CustomResourceDefinitionList" + items: [...{ + apiVersion: "apiextensions.k8s.io/v1" + kind: "CustomResourceDefinition" + }] +} + +#CustomResourceDefinitionList: items: [{ + metadata: name: "acraccesstokens.generators.external-secrets.io" + spec: { + group: "generators.external-secrets.io" + names: { + categories: ["acraccesstoken"] + kind: "ACRAccessToken" + listKind: "ACRAccessTokenList" + plural: "acraccesstokens" + shortNames: ["acraccesstoken"] + singular: "acraccesstoken" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + name: "v1alpha1" + schema: openAPIV3Schema: { + description: """ + ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md + """ + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview" + properties: { + auth: { + properties: { + managedIdentity: { + description: "ManagedIdentity uses Azure Managed Identity to authenticate with Azure." + properties: identityId: { + description: "If multiple Managed Identity is assigned to the pod, you can select the one to be used" + type: "string" + } + type: "object" + } + servicePrincipal: { + description: "ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure." + properties: secretRef: { + description: "Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret." + properties: { + clientId: { + description: "The Azure clientId of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "The Azure ClientSecret of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + required: [ + "secretRef", + ] + type: "object" + } + workloadIdentity: { + description: "WorkloadIdentity uses Azure Workload Identity to authenticate with Azure." + properties: serviceAccountRef: { + description: "ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: [ + "name", + ] + type: "object" + } + type: "object" + } + } + type: "object" + } + environmentType: { + default: "PublicCloud" + description: "EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud" + enum: [ + "PublicCloud", + "USGovernmentCloud", + "ChinaCloud", + "GermanCloud", + ] + type: "string" + } + registry: { + description: "the domain name of the ACR registry e.g. foobarexample.azurecr.io" + type: "string" + } + scope: { + description: """ + Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. + examples: repository:my-repository:pull,push repository:my-repository:pull + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ + """ + type: "string" + } + tenantId: { + description: "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type." + type: "string" + } + } + required: [ + "auth", + "registry", + ] + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: [ + "v1", + ] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + metadata: name: "clusterexternalsecrets.external-secrets.io" + spec: { + group: "external-secrets.io" + names: { + categories: ["externalsecrets"] + kind: "ClusterExternalSecret" + listKind: "ClusterExternalSecretList" + plural: "clusterexternalsecrets" + shortNames: ["ces"] + singular: "clusterexternalsecret" + } + scope: "Cluster" + versions: [{ + additionalPrinterColumns: [{ + jsonPath: ".spec.externalSecretSpec.secretStoreRef.name" + name: "Store" + type: "string" + }, { + jsonPath: ".spec.refreshTime" + name: "Refresh Interval" + type: "string" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + name: "Ready" + type: "string" + }] + name: "v1beta1" + schema: openAPIV3Schema: { + description: "ClusterExternalSecret is the Schema for the clusterexternalsecrets API." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret." + properties: { + externalSecretMetadata: { + description: "The metadata of the external secrets to be created" + properties: { + annotations: { + additionalProperties: type: "string" + type: "object" + } + labels: { + additionalProperties: type: "string" + type: "object" + } + } + type: "object" + } + externalSecretName: { + description: "The name of the external secrets to be created defaults to the name of the ClusterExternalSecret" + type: "string" + } + externalSecretSpec: { + description: "The spec for the ExternalSecrets to be created" + properties: { + data: { + description: "Data defines the connection between the Kubernetes Secret keys and the Provider data" + items: { + description: "ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data." + properties: { + remoteRef: { + description: "RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + decodingStrategy: { + default: "None" + description: "Used to define a decoding Strategy" + type: "string" + } + key: { + description: "Key is the key used in the Provider, mandatory" + type: "string" + } + metadataPolicy: { + description: "Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None" + type: "string" + } + property: { + description: "Used to select a specific property of the Provider value (if a map), if supported" + type: "string" + } + version: { + description: "Used to select a specific version of the Provider value, if supported" + type: "string" + } + } + required: [ + "key", + ] + type: "object" + } + secretKey: { + description: "SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret" + type: "string" + } + sourceRef: { + description: "SourceRef allows you to override the source from which the value will pulled from." + maxProperties: 1 + properties: { + generatorRef: { + description: "GeneratorRef points to a generator custom resource in" + properties: { + apiVersion: { + default: "generators.external-secrets.io/v1alpha1" + description: "Specify the apiVersion of the generator resource" + type: "string" + } + kind: { + description: "Specify the Kind of the resource, e.g. Password, ACRAccessToken etc." + type: "string" + } + name: { + description: "Specify the name of the generator resource" + type: "string" + } + } + required: [ + "kind", + "name", + ] + type: "object" + } + storeRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: [ + "name", + ] + type: "object" + } + } + type: "object" + } + } + required: [ + "remoteRef", + "secretKey", + ] + type: "object" + } + type: "array" + } + dataFrom: { + description: "DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order" + items: { + properties: { + extract: { + description: "Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + decodingStrategy: { + default: "None" + description: "Used to define a decoding Strategy" + type: "string" + } + key: { + description: "Key is the key used in the Provider, mandatory" + type: "string" + } + metadataPolicy: { + description: "Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None" + type: "string" + } + property: { + description: "Used to select a specific property of the Provider value (if a map), if supported" + type: "string" + } + version: { + description: "Used to select a specific version of the Provider value, if supported" + type: "string" + } + } + required: [ + "key", + ] + type: "object" + } + find: { + description: "Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + decodingStrategy: { + default: "None" + description: "Used to define a decoding Strategy" + type: "string" + } + name: { + description: "Finds secrets based on the name." + properties: regexp: { + description: "Finds secrets base" + type: "string" + } + type: "object" + } + path: { + description: "A root path to start the find operations." + type: "string" + } + tags: { + additionalProperties: type: "string" + description: "Find secrets based on tags." + type: "object" + } + } + type: "object" + } + rewrite: { + description: "Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)" + items: { + properties: regexp: { + description: "Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation." + properties: { + source: { + description: "Used to define the regular expression of a re.Compiler." + type: "string" + } + target: { + description: "Used to define the target pattern of a ReplaceAll operation." + type: "string" + } + } + required: [ + "source", + "target", + ] + type: "object" + } + type: "object" + } + type: "array" + } + sourceRef: { + description: "SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values" + maxProperties: 1 + properties: { + generatorRef: { + description: "GeneratorRef points to a generator custom resource in" + properties: { + apiVersion: { + default: "generators.external-secrets.io/v1alpha1" + description: "Specify the apiVersion of the generator resource" + type: "string" + } + kind: { + description: "Specify the Kind of the resource, e.g. Password, ACRAccessToken etc." + type: "string" + } + name: { + description: "Specify the name of the generator resource" + type: "string" + } + } + required: [ + "kind", + "name", + ] + type: "object" + } + storeRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: [ + "name", + ] + type: "object" + } + } + type: "object" + } + } + type: "object" + } + type: "array" + } + refreshInterval: { + default: "1h" + description: "RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\" May be set to zero to fetch and create it once. Defaults to 1h." + type: "string" + } + secretStoreRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: ["name"] + type: "object" + } + target: { + default: { + creationPolicy: "Owner" + deletionPolicy: "Retain" + } + description: "ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret." + properties: { + creationPolicy: { + default: "Owner" + description: "CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'" + enum: [ + "Owner", + "Orphan", + "Merge", + "None", + ] + type: "string" + } + deletionPolicy: { + default: "Retain" + description: "DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'" + enum: [ + "Delete", + "Merge", + "Retain", + ] + type: "string" + } + immutable: { + description: "Immutable defines if the final secret will be immutable" + type: "boolean" + } + name: { + description: "Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource" + type: "string" + } + template: { + description: "Template defines a blueprint for the created Secret resource." + properties: { + data: { + additionalProperties: type: "string" + type: "object" + } + engineVersion: { + default: "v2" + type: "string" + } + mergePolicy: { + default: "Replace" + type: "string" + } + metadata: { + description: "ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint." + properties: { + annotations: { + additionalProperties: type: "string" + type: "object" + } + labels: { + additionalProperties: type: "string" + type: "object" + } + } + type: "object" + } + templateFrom: { + items: { + properties: { + configMap: { + properties: { + items: { + items: { + properties: { + key: type: "string" + templateAs: { + default: "Values" + type: "string" + } + } + required: ["key"] + type: "object" + } + type: "array" + } + name: type: "string" + } + required: [ + "items", + "name", + ] + type: "object" + } + literal: type: "string" + secret: { + properties: { + items: { + items: { + properties: { + key: type: "string" + templateAs: { + default: "Values" + type: "string" + } + } + required: ["key"] + type: "object" + } + type: "array" + } + name: type: "string" + } + required: [ + "items", + "name", + ] + type: "object" + } + target: { + default: "Data" + type: "string" + } + } + type: "object" + } + type: "array" + } + type: type: "string" + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + namespaceSelector: { + description: "The labels to select by to find the Namespaces to create the ExternalSecrets in." + properties: { + matchExpressions: { + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: { + description: "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values." + properties: { + key: { + description: "key is the label key that the selector applies to." + type: "string" + } + operator: { + description: "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + } + values: { + description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch." + items: type: "string" + type: "array" + } + } + required: [ + "key", + "operator", + ] + type: "object" + } + type: "array" + } + matchLabels: { + additionalProperties: type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + } + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + refreshTime: { + description: "The time in which the controller should reconcile it's objects and recheck namespaces for labels." + type: "string" + } + } + required: [ + "externalSecretSpec", + "namespaceSelector", + ] + type: "object" + } + status: { + description: "ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret." + properties: { + conditions: { + items: { + properties: { + message: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + externalSecretName: { + description: "ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret" + type: "string" + } + failedNamespaces: { + description: "Failed namespaces are the namespaces that failed to apply an ExternalSecret" + items: { + description: "ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason." + properties: { + namespace: { + description: "Namespace is the namespace that failed when trying to apply an ExternalSecret" + type: "string" + } + reason: { + description: "Reason is why the ExternalSecret failed to apply to the namespace" + type: "string" + } + } + required: ["namespace"] + type: "object" + } + type: "array" + } + provisionedNamespaces: { + description: "ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets" + items: type: "string" + type: "array" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + metadata: name: "clustersecretstores.external-secrets.io" + spec: { + group: "external-secrets.io" + names: { + categories: ["externalsecrets"] + kind: "ClusterSecretStore" + listKind: "ClusterSecretStoreList" + plural: "clustersecretstores" + shortNames: ["css"] + singular: "clustersecretstore" + } + scope: "Cluster" + versions: [{ + additionalPrinterColumns: [{ + jsonPath: ".metadata.creationTimestamp" + name: "AGE" + type: "date" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }] + deprecated: true + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "SecretStoreSpec defines the desired state of SecretStore." + properties: { + controller: { + description: "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property" + type: "string" + } + provider: { + description: "Used to configure the provider. Only one provider may be set" + maxProperties: 1 + minProperties: 1 + properties: { + akeyless: { + description: "Akeyless configures this store to sync secrets using Akeyless Vault provider" + properties: { + akeylessGWApiURL: { + description: "Akeyless GW API Url from which the secrets to be fetched from." + type: "string" + } + authSecretRef: { + description: "Auth configures how the operator authenticates with Akeyless." + properties: { + kubernetesAuth: { + description: "Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource." + properties: { + accessID: { + description: "the Akeyless Kubernetes auth-method access-id" + type: "string" + } + k8sConfName: { + description: "Kubernetes-auth configuration name in Akeyless-Gateway" + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "accessID", + "k8sConfName", + ] + type: "object" + } + secretRef: { + description: "Reference to a Secret that contains the details to authenticate with Akeyless." + properties: { + accessID: { + description: "The SecretAccessID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessType: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessTypeParam: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Akeyless Gateway certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + } + required: [ + "akeylessGWApiURL", + "authSecretRef", + ] + type: "object" + } + alibaba: { + description: "Alibaba configures this store to sync secrets using Alibaba Cloud provider" + properties: { + auth: { + description: "AlibabaAuth contains a secretRef for credentials." + properties: { + rrsa: { + description: "Authenticate against Alibaba using RRSA." + properties: { + oidcProviderArn: type: "string" + oidcTokenFilePath: type: "string" + roleArn: type: "string" + sessionName: type: "string" + } + required: [ + "oidcProviderArn", + "oidcTokenFilePath", + "roleArn", + "sessionName", + ] + type: "object" + } + secretRef: { + description: "AlibabaAuthSecretRef holds secret references for Alibaba credentials." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessKeySecretSecretRef: { + description: "The AccessKeySecret is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "accessKeyIDSecretRef", + "accessKeySecretSecretRef", + ] + type: "object" + } + } + type: "object" + } + regionID: { + description: "Alibaba Region to be used for the provider" + type: "string" + } + } + required: [ + "auth", + "regionID", + ] + type: "object" + } + aws: { + description: "AWS configures this store to sync secrets using AWS Secret Manager provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" + properties: { + jwt: { + description: "Authenticate against AWS using service account tokens." + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + secretRef: { + description: "AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + region: { + description: "AWS Region to be used for the provider" + type: "string" + } + role: { + description: "Role is a Role ARN which the SecretManager provider will assume" + type: "string" + } + service: { + description: "Service defines which service should be used to fetch the secrets" + enum: [ + "SecretsManager", + "ParameterStore", + ] + type: "string" + } + } + required: [ + "region", + "service", + ] + type: "object" + } + azurekv: { + description: "AzureKV configures this store to sync secrets using Azure Key Vault provider" + properties: { + authSecretRef: { + description: "Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type." + properties: { + clientId: { + description: "The Azure clientId of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "The Azure ClientSecret of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + authType: { + default: "ServicePrincipal" + description: "Auth type defines how to authenticate to the keyvault service. Valid values are: - \"ServicePrincipal\" (default): Using a service principal (tenantId, clientId, clientSecret) - \"ManagedIdentity\": Using Managed Identity assigned to the pod (see aad-pod-identity)" + enum: [ + "ServicePrincipal", + "ManagedIdentity", + "WorkloadIdentity", + ] + type: "string" + } + identityId: { + description: "If multiple Managed Identity is assigned to the pod, you can select the one to be used" + type: "string" + } + serviceAccountRef: { + description: "ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + tenantId: { + description: "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type." + type: "string" + } + vaultUrl: { + description: "Vault Url from which the secrets to be fetched from." + type: "string" + } + } + required: ["vaultUrl"] + type: "object" + } + fake: { + description: "Fake configures a store with static key/value pairs" + properties: data: { + items: { + properties: { + key: type: "string" + value: type: "string" + valueMap: { + additionalProperties: type: "string" + type: "object" + } + version: type: "string" + } + required: ["key"] + type: "object" + } + type: "array" + } + required: ["data"] + type: "object" + } + gcpsm: { + description: "GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against GCP" + properties: { + secretRef: { + properties: secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + workloadIdentity: { + properties: { + clusterLocation: type: "string" + clusterName: type: "string" + clusterProjectID: type: "string" + serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "clusterLocation", + "clusterName", + "serviceAccountRef", + ] + type: "object" + } + } + type: "object" + } + projectID: { + description: "ProjectID project where secret is located" + type: "string" + } + } + type: "object" + } + gitlab: { + description: "GitLab configures this store to sync secrets using GitLab Variables provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a GitLab instance." + properties: SecretRef: { + properties: accessToken: { + description: "AccessToken is used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + required: ["SecretRef"] + type: "object" + } + projectID: { + description: "ProjectID specifies a project where secrets are located." + type: "string" + } + url: { + description: "URL configures the GitLab instance URL. Defaults to https://gitlab.com/." + type: "string" + } + } + required: ["auth"] + type: "object" + } + ibm: { + description: "IBM configures this store to sync secrets using IBM Cloud provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the IBM secrets manager." + properties: secretRef: { + properties: secretApiKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + required: ["secretRef"] + type: "object" + } + serviceUrl: { + description: "ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance" + type: "string" + } + } + required: ["auth"] + type: "object" + } + kubernetes: { + description: "Kubernetes configures this store to sync secrets using a Kubernetes cluster provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a Kubernetes instance." + maxProperties: 1 + minProperties: 1 + properties: { + cert: { + description: "has both clientCert and clientKey as secretKeySelector" + properties: { + clientCert: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientKey: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + serviceAccount: { + description: "points to a service account that should be used for authentication" + properties: serviceAccount: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + token: { + description: "use static token to authenticate with" + properties: bearerToken: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + type: "object" + } + remoteNamespace: { + default: "default" + description: "Remote namespace to fetch the secrets from" + type: "string" + } + server: { + description: "configures the Kubernetes server Address." + properties: { + caBundle: { + description: "CABundle is a base64-encoded CA certificate" + format: "byte" + type: "string" + } + caProvider: { + description: "see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider" + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + url: { + default: "kubernetes.default" + description: "configures the Kubernetes server Address." + type: "string" + } + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + oracle: { + description: "Oracle configures this store to sync secrets using Oracle Vault provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth." + properties: { + secretRef: { + description: "SecretRef to pass through sensitive information." + properties: { + fingerprint: { + description: "Fingerprint is the fingerprint of the API private key." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + privatekey: { + description: "PrivateKey is the user's API Signing Key in PEM format, used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "fingerprint", + "privatekey", + ] + type: "object" + } + tenancy: { + description: "Tenancy is the tenancy OCID where user is located." + type: "string" + } + user: { + description: "User is an access OCID specific to the account." + type: "string" + } + } + required: [ + "secretRef", + "tenancy", + "user", + ] + type: "object" + } + region: { + description: "Region is the region where vault is located." + type: "string" + } + vault: { + description: "Vault is the vault's OCID of the specific vault where secret is located." + type: "string" + } + } + required: [ + "region", + "vault", + ] + type: "object" + } + vault: { + description: "Vault configures this store to sync secrets using Hashi provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Vault server." + properties: { + appRole: { + description: "AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource." + properties: { + path: { + default: "approle" + description: "Path where the App Role authentication backend is mounted in Vault, e.g: \"approle\"" + type: "string" + } + roleId: { + description: "RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault." + type: "string" + } + secretRef: { + description: "Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "path", + "roleId", + "secretRef", + ] + type: "object" + } + cert: { + description: "Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method" + properties: { + clientCert: { + description: "ClientCert is a certificate to authenticate using the Cert Vault authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + jwt: { + description: "Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method" + properties: { + kubernetesServiceAccountToken: { + description: "Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API." + properties: { + audiences: { + description: "Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified." + items: type: "string" + type: "array" + } + expirationSeconds: { + description: "Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes." + format: "int64" + type: "integer" + } + serviceAccountRef: { + description: "Service account field containing the name of a kubernetes ServiceAccount." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: ["serviceAccountRef"] + type: "object" + } + path: { + default: "jwt" + description: "Path where the JWT authentication backend is mounted in Vault, e.g: \"jwt\"" + type: "string" + } + role: { + description: "Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method" + type: "string" + } + secretRef: { + description: "Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: ["path"] + type: "object" + } + kubernetes: { + description: "Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server." + properties: { + mountPath: { + default: "kubernetes" + description: "Path where the Kubernetes authentication backend is mounted in Vault, e.g: \"kubernetes\"" + type: "string" + } + role: { + description: "A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies." + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "mountPath", + "role", + ] + type: "object" + } + ldap: { + description: "Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method" + properties: { + path: { + default: "ldap" + description: "Path where the LDAP authentication backend is mounted in Vault, e.g: \"ldap\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a LDAP user name used to authenticate using the LDAP Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + tokenSecretRef: { + description: "TokenSecretRef authenticates with Vault by presenting a token." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Vault server certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + forwardInconsistent: { + description: "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header" + type: "boolean" + } + namespace: { + description: "Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces" + type: "string" + } + path: { + description: "Path is the mount path of the Vault KV backend endpoint, e.g: \"secret\". The v2 KV secret engine version specific \"/data\" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path." + type: "string" + } + readYourWrites: { + description: "ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency" + type: "boolean" + } + server: { + description: "Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\"." + type: "string" + } + version: { + default: "v2" + description: "Version is the Vault KV secret engine version. This can be either \"v1\" or \"v2\". Version defaults to \"v2\"." + enum: [ + "v1", + "v2", + ] + type: "string" + } + } + required: [ + "auth", + "server", + ] + type: "object" + } + webhook: { + description: "Webhook configures this store to sync secrets using a generic templated webhook" + properties: { + body: { + description: "Body" + type: "string" + } + caBundle: { + description: "PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate webhook server certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + headers: { + additionalProperties: type: "string" + description: "Headers" + type: "object" + } + method: { + description: "Webhook Method" + type: "string" + } + result: { + description: "Result formatting" + properties: jsonPath: { + description: "Json path of return value" + type: "string" + } + type: "object" + } + secrets: { + description: "Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name" + items: { + properties: { + name: { + description: "Name of this secret in templates" + type: "string" + } + secretRef: { + description: "Secret ref to fill in credentials" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "name", + "secretRef", + ] + type: "object" + } + type: "array" + } + timeout: { + description: "Timeout" + type: "string" + } + url: { + description: "Webhook url to call" + type: "string" + } + } + required: [ + "result", + "url", + ] + type: "object" + } + yandexlockbox: { + description: "YandexLockbox configures this store to sync secrets using Yandex Lockbox provider" + properties: { + apiEndpoint: { + description: "Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')" + type: "string" + } + auth: { + description: "Auth defines the information necessary to authenticate against Yandex Lockbox" + properties: authorizedKeySecretRef: { + description: "The authorized key used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Yandex.Cloud server certificate." + properties: certSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + } + type: "object" + } + retrySettings: { + description: "Used to configure http retries if failed" + properties: { + maxRetries: { + format: "int32" + type: "integer" + } + retryInterval: type: "string" + } + type: "object" + } + } + required: ["provider"] + type: "object" + } + status: { + description: "SecretStoreStatus defines the observed state of the SecretStore." + properties: conditions: { + items: { + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + type: "object" + } + } + type: "object" + } + served: true + storage: false + subresources: status: {} + }, { + additionalPrinterColumns: [{ + jsonPath: ".metadata.creationTimestamp" + name: "AGE" + type: "date" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }, { + jsonPath: ".status.capabilities" + name: "Capabilities" + type: "string" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + name: "Ready" + type: "string" + }] + name: "v1beta1" + schema: openAPIV3Schema: { + description: "ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "SecretStoreSpec defines the desired state of SecretStore." + properties: { + conditions: { + description: "Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore" + items: { + description: "ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance." + properties: { + namespaceSelector: { + description: "Choose namespace using a labelSelector" + properties: { + matchExpressions: { + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: { + description: "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values." + properties: { + key: { + description: "key is the label key that the selector applies to." + type: "string" + } + operator: { + description: "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + } + values: { + description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch." + items: type: "string" + type: "array" + } + } + required: [ + "key", + "operator", + ] + type: "object" + } + type: "array" + } + matchLabels: { + additionalProperties: type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + } + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + namespaces: { + description: "Choose namespaces by name" + items: type: "string" + type: "array" + } + } + type: "object" + } + type: "array" + } + controller: { + description: "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property" + type: "string" + } + provider: { + description: "Used to configure the provider. Only one provider may be set" + maxProperties: 1 + minProperties: 1 + properties: { + akeyless: { + description: "Akeyless configures this store to sync secrets using Akeyless Vault provider" + properties: { + akeylessGWApiURL: { + description: "Akeyless GW API Url from which the secrets to be fetched from." + type: "string" + } + authSecretRef: { + description: "Auth configures how the operator authenticates with Akeyless." + properties: { + kubernetesAuth: { + description: "Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource." + properties: { + accessID: { + description: "the Akeyless Kubernetes auth-method access-id" + type: "string" + } + k8sConfName: { + description: "Kubernetes-auth configuration name in Akeyless-Gateway" + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "accessID", + "k8sConfName", + ] + type: "object" + } + secretRef: { + description: "Reference to a Secret that contains the details to authenticate with Akeyless." + properties: { + accessID: { + description: "The SecretAccessID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessType: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessTypeParam: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Akeyless Gateway certificate." + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + } + required: [ + "akeylessGWApiURL", + "authSecretRef", + ] + type: "object" + } + alibaba: { + description: "Alibaba configures this store to sync secrets using Alibaba Cloud provider" + properties: { + auth: { + description: "AlibabaAuth contains a secretRef for credentials." + properties: { + rrsa: { + description: "Authenticate against Alibaba using RRSA." + properties: { + oidcProviderArn: type: "string" + oidcTokenFilePath: type: "string" + roleArn: type: "string" + sessionName: type: "string" + } + required: [ + "oidcProviderArn", + "oidcTokenFilePath", + "roleArn", + "sessionName", + ] + type: "object" + } + secretRef: { + description: "AlibabaAuthSecretRef holds secret references for Alibaba credentials." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessKeySecretSecretRef: { + description: "The AccessKeySecret is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "accessKeyIDSecretRef", + "accessKeySecretSecretRef", + ] + type: "object" + } + } + type: "object" + } + regionID: { + description: "Alibaba Region to be used for the provider" + type: "string" + } + } + required: [ + "auth", + "regionID", + ] + type: "object" + } + aws: { + description: "AWS configures this store to sync secrets using AWS Secret Manager provider" + properties: { + additionalRoles: { + description: "AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role" + items: type: "string" + type: "array" + } + auth: { + description: "Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" + properties: { + jwt: { + description: "Authenticate against AWS using service account tokens." + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + secretRef: { + description: "AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + sessionTokenSecretRef: { + description: "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + externalID: { + description: "AWS External ID set on assumed IAM roles" + type: "string" + } + region: { + description: "AWS Region to be used for the provider" + type: "string" + } + role: { + description: "Role is a Role ARN which the SecretManager provider will assume" + type: "string" + } + service: { + description: "Service defines which service should be used to fetch the secrets" + enum: [ + "SecretsManager", + "ParameterStore", + ] + type: "string" + } + sessionTags: { + description: "AWS STS assume role session tags" + items: { + properties: { + key: type: "string" + value: type: "string" + } + required: [ + "key", + "value", + ] + type: "object" + } + type: "array" + } + transitiveTagKeys: { + description: "AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore" + items: type: "string" + type: "array" + } + } + required: [ + "region", + "service", + ] + type: "object" + } + azurekv: { + description: "AzureKV configures this store to sync secrets using Azure Key Vault provider" + properties: { + authSecretRef: { + description: "Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type." + properties: { + clientId: { + description: "The Azure clientId of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "The Azure ClientSecret of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + authType: { + default: "ServicePrincipal" + description: "Auth type defines how to authenticate to the keyvault service. Valid values are: - \"ServicePrincipal\" (default): Using a service principal (tenantId, clientId, clientSecret) - \"ManagedIdentity\": Using Managed Identity assigned to the pod (see aad-pod-identity)" + enum: [ + "ServicePrincipal", + "ManagedIdentity", + "WorkloadIdentity", + ] + type: "string" + } + environmentType: { + default: "PublicCloud" + description: "EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud" + enum: [ + "PublicCloud", + "USGovernmentCloud", + "ChinaCloud", + "GermanCloud", + ] + type: "string" + } + identityId: { + description: "If multiple Managed Identity is assigned to the pod, you can select the one to be used" + type: "string" + } + serviceAccountRef: { + description: "ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + tenantId: { + description: "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type." + type: "string" + } + vaultUrl: { + description: "Vault Url from which the secrets to be fetched from." + type: "string" + } + } + required: ["vaultUrl"] + type: "object" + } + conjur: { + description: "Conjur configures this store to sync secrets using conjur provider" + properties: { + auth: { + properties: apikey: { + properties: { + account: type: "string" + apiKeyRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + userRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "account", + "apiKeyRef", + "userRef", + ] + type: "object" + } + required: ["apikey"] + type: "object" + } + caBundle: type: "string" + url: type: "string" + } + required: [ + "auth", + "url", + ] + type: "object" + } + delinea: { + description: "Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current" + properties: { + clientId: { + description: "ClientID is the non-secret part of the credential." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "ClientSecret is the secret part of the credential." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + tenant: { + description: "Tenant is the chosen hostname / site name." + type: "string" + } + tld: { + description: "TLD is based on the server location that was chosen during provisioning. If unset, defaults to \"com\"." + type: "string" + } + urlTemplate: { + description: "URLTemplate If unset, defaults to \"https://%s.secretsvaultcloud.%s/v1/%s%s\"." + type: "string" + } + } + required: [ + "clientId", + "clientSecret", + "tenant", + ] + type: "object" + } + doppler: { + description: "Doppler configures this store to sync secrets using the Doppler provider" + properties: { + auth: { + description: "Auth configures how the Operator authenticates with the Doppler API" + properties: secretRef: { + properties: dopplerToken: { + description: "The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + required: ["dopplerToken"] + type: "object" + } + required: ["secretRef"] + type: "object" + } + config: { + description: "Doppler config (required if not using a Service Token)" + type: "string" + } + format: { + description: "Format enables the downloading of secrets as a file (string)" + enum: [ + "json", + "dotnet-json", + "env", + "yaml", + "docker", + ] + type: "string" + } + nameTransformer: { + description: "Environment variable compatible name transforms that change secret names to a different format" + enum: [ + "upper-camel", + "camel", + "lower-snake", + "tf-var", + "dotnet-env", + "lower-kebab", + ] + type: "string" + } + project: { + description: "Doppler project (required if not using a Service Token)" + type: "string" + } + } + required: ["auth"] + type: "object" + } + fake: { + description: "Fake configures a store with static key/value pairs" + properties: data: { + items: { + properties: { + key: type: "string" + value: type: "string" + valueMap: { + additionalProperties: type: "string" + type: "object" + } + version: type: "string" + } + required: ["key"] + type: "object" + } + type: "array" + } + required: ["data"] + type: "object" + } + gcpsm: { + description: "GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against GCP" + properties: { + secretRef: { + properties: secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + workloadIdentity: { + properties: { + clusterLocation: type: "string" + clusterName: type: "string" + clusterProjectID: type: "string" + serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "clusterLocation", + "clusterName", + "serviceAccountRef", + ] + type: "object" + } + } + type: "object" + } + projectID: { + description: "ProjectID project where secret is located" + type: "string" + } + } + type: "object" + } + gitlab: { + description: "GitLab configures this store to sync secrets using GitLab Variables provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a GitLab instance." + properties: SecretRef: { + properties: accessToken: { + description: "AccessToken is used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + required: ["SecretRef"] + type: "object" + } + environment: { + description: "Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)" + type: "string" + } + groupIDs: { + description: "GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables." + items: type: "string" + type: "array" + } + inheritFromGroups: { + description: "InheritFromGroups specifies whether parent groups should be discovered and checked for secrets." + type: "boolean" + } + projectID: { + description: "ProjectID specifies a project where secrets are located." + type: "string" + } + url: { + description: "URL configures the GitLab instance URL. Defaults to https://gitlab.com/." + type: "string" + } + } + required: ["auth"] + type: "object" + } + ibm: { + description: "IBM configures this store to sync secrets using IBM Cloud provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the IBM secrets manager." + maxProperties: 1 + minProperties: 1 + properties: { + containerAuth: { + description: "IBM Container-based auth with IAM Trusted Profile." + properties: { + iamEndpoint: type: "string" + profile: { + description: "the IBM Trusted Profile" + type: "string" + } + tokenLocation: { + description: "Location the token is mounted on the pod" + type: "string" + } + } + required: ["profile"] + type: "object" + } + secretRef: { + properties: secretApiKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + type: "object" + } + serviceUrl: { + description: "ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance" + type: "string" + } + } + required: ["auth"] + type: "object" + } + keepersecurity: { + description: "KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider" + properties: { + authRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + folderID: type: "string" + } + required: [ + "authRef", + "folderID", + ] + type: "object" + } + kubernetes: { + description: "Kubernetes configures this store to sync secrets using a Kubernetes cluster provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a Kubernetes instance." + maxProperties: 1 + minProperties: 1 + properties: { + cert: { + description: "has both clientCert and clientKey as secretKeySelector" + properties: { + clientCert: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientKey: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + serviceAccount: { + description: "points to a service account that should be used for authentication" + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + token: { + description: "use static token to authenticate with" + properties: bearerToken: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + type: "object" + } + remoteNamespace: { + default: "default" + description: "Remote namespace to fetch the secrets from" + type: "string" + } + server: { + description: "configures the Kubernetes server Address." + properties: { + caBundle: { + description: "CABundle is a base64-encoded CA certificate" + format: "byte" + type: "string" + } + caProvider: { + description: "see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider" + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + url: { + default: "kubernetes.default" + description: "configures the Kubernetes server Address." + type: "string" + } + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + onepassword: { + description: "OnePassword configures this store to sync secrets using the 1Password Cloud provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against OnePassword Connect Server" + properties: secretRef: { + description: "OnePasswordAuthSecretRef holds secret references for 1Password credentials." + properties: connectTokenSecretRef: { + description: "The ConnectToken is used for authentication to a 1Password Connect Server." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + required: ["connectTokenSecretRef"] + type: "object" + } + required: ["secretRef"] + type: "object" + } + connectHost: { + description: "ConnectHost defines the OnePassword Connect Server to connect to" + type: "string" + } + vaults: { + additionalProperties: type: "integer" + description: "Vaults defines which OnePassword vaults to search in which order" + type: "object" + } + } + required: [ + "auth", + "connectHost", + "vaults", + ] + type: "object" + } + oracle: { + description: "Oracle configures this store to sync secrets using Oracle Vault provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth." + properties: { + secretRef: { + description: "SecretRef to pass through sensitive information." + properties: { + fingerprint: { + description: "Fingerprint is the fingerprint of the API private key." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + privatekey: { + description: "PrivateKey is the user's API Signing Key in PEM format, used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "fingerprint", + "privatekey", + ] + type: "object" + } + tenancy: { + description: "Tenancy is the tenancy OCID where user is located." + type: "string" + } + user: { + description: "User is an access OCID specific to the account." + type: "string" + } + } + required: [ + "secretRef", + "tenancy", + "user", + ] + type: "object" + } + region: { + description: "Region is the region where vault is located." + type: "string" + } + vault: { + description: "Vault is the vault's OCID of the specific vault where secret is located." + type: "string" + } + } + required: [ + "region", + "vault", + ] + type: "object" + } + scaleway: { + description: "Scaleway" + properties: { + accessKey: { + description: "AccessKey is the non-secret part of the api key." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + apiUrl: { + description: "APIURL is the url of the api to use. Defaults to https://api.scaleway.com" + type: "string" + } + projectId: { + description: "ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings" + type: "string" + } + region: { + description: "Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone" + type: "string" + } + secretKey: { + description: "SecretKey is the non-secret part of the api key." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + } + required: [ + "accessKey", + "projectId", + "region", + "secretKey", + ] + type: "object" + } + senhasegura: { + description: "Senhasegura configures this store to sync secrets using senhasegura provider" + properties: { + auth: { + description: "Auth defines parameters to authenticate in senhasegura" + properties: { + clientId: type: "string" + clientSecretSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "clientId", + "clientSecretSecretRef", + ] + type: "object" + } + ignoreSslCertificate: { + default: false + description: "IgnoreSslCertificate defines if SSL certificate must be ignored" + type: "boolean" + } + module: { + description: "Module defines which senhasegura module should be used to get secrets" + type: "string" + } + url: { + description: "URL of senhasegura" + type: "string" + } + } + required: [ + "auth", + "module", + "url", + ] + type: "object" + } + vault: { + description: "Vault configures this store to sync secrets using Hashi provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Vault server." + properties: { + appRole: { + description: "AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource." + properties: { + path: { + default: "approle" + description: "Path where the App Role authentication backend is mounted in Vault, e.g: \"approle\"" + type: "string" + } + roleId: { + description: "RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault." + type: "string" + } + roleRef: { + description: "Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "path", + "secretRef", + ] + type: "object" + } + cert: { + description: "Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method" + properties: { + clientCert: { + description: "ClientCert is a certificate to authenticate using the Cert Vault authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + iam: { + description: "Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method" + properties: { + externalID: { + description: "AWS External ID set on assumed IAM roles" + type: "string" + } + jwt: { + description: "Specify a service account with IRSA enabled" + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + path: { + description: "Path where the AWS auth method is enabled in Vault, e.g: \"aws\"" + type: "string" + } + region: { + description: "AWS region" + type: "string" + } + role: { + description: "This is the AWS role to be assumed before talking to vault" + type: "string" + } + secretRef: { + description: "Specify credentials in a Secret object" + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + sessionTokenSecretRef: { + description: "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + vaultAwsIamServerID: { + description: "X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws" + type: "string" + } + vaultRole: { + description: "Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine" + type: "string" + } + } + required: ["vaultRole"] + type: "object" + } + jwt: { + description: "Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method" + properties: { + kubernetesServiceAccountToken: { + description: "Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API." + properties: { + audiences: { + description: "Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead" + items: type: "string" + type: "array" + } + expirationSeconds: { + description: "Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes." + format: "int64" + type: "integer" + } + serviceAccountRef: { + description: "Service account field containing the name of a kubernetes ServiceAccount." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: ["serviceAccountRef"] + type: "object" + } + path: { + default: "jwt" + description: "Path where the JWT authentication backend is mounted in Vault, e.g: \"jwt\"" + type: "string" + } + role: { + description: "Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method" + type: "string" + } + secretRef: { + description: "Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: ["path"] + type: "object" + } + kubernetes: { + description: "Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server." + properties: { + mountPath: { + default: "kubernetes" + description: "Path where the Kubernetes authentication backend is mounted in Vault, e.g: \"kubernetes\"" + type: "string" + } + role: { + description: "A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies." + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "mountPath", + "role", + ] + type: "object" + } + ldap: { + description: "Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method" + properties: { + path: { + default: "ldap" + description: "Path where the LDAP authentication backend is mounted in Vault, e.g: \"ldap\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a LDAP user name used to authenticate using the LDAP Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + tokenSecretRef: { + description: "TokenSecretRef authenticates with Vault by presenting a token." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + userPass: { + description: "UserPass authenticates with Vault by passing username/password pair" + properties: { + path: { + default: "user" + description: "Path where the UserPassword authentication backend is mounted in Vault, e.g: \"user\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a user name used to authenticate using the UserPass Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Vault server certificate." + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + forwardInconsistent: { + description: "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header" + type: "boolean" + } + namespace: { + description: "Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces" + type: "string" + } + path: { + description: "Path is the mount path of the Vault KV backend endpoint, e.g: \"secret\". The v2 KV secret engine version specific \"/data\" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path." + type: "string" + } + readYourWrites: { + description: "ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency" + type: "boolean" + } + server: { + description: "Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\"." + type: "string" + } + version: { + default: "v2" + description: "Version is the Vault KV secret engine version. This can be either \"v1\" or \"v2\". Version defaults to \"v2\"." + enum: [ + "v1", + "v2", + ] + type: "string" + } + } + required: [ + "auth", + "server", + ] + type: "object" + } + webhook: { + description: "Webhook configures this store to sync secrets using a generic templated webhook" + properties: { + body: { + description: "Body" + type: "string" + } + caBundle: { + description: "PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate webhook server certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + headers: { + additionalProperties: type: "string" + description: "Headers" + type: "object" + } + method: { + description: "Webhook Method" + type: "string" + } + result: { + description: "Result formatting" + properties: jsonPath: { + description: "Json path of return value" + type: "string" + } + type: "object" + } + secrets: { + description: "Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name" + items: { + properties: { + name: { + description: "Name of this secret in templates" + type: "string" + } + secretRef: { + description: "Secret ref to fill in credentials" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "name", + "secretRef", + ] + type: "object" + } + type: "array" + } + timeout: { + description: "Timeout" + type: "string" + } + url: { + description: "Webhook url to call" + type: "string" + } + } + required: [ + "result", + "url", + ] + type: "object" + } + yandexcertificatemanager: { + description: "YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider" + properties: { + apiEndpoint: { + description: "Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')" + type: "string" + } + auth: { + description: "Auth defines the information necessary to authenticate against Yandex Certificate Manager" + properties: authorizedKeySecretRef: { + description: "The authorized key used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Yandex.Cloud server certificate." + properties: certSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + yandexlockbox: { + description: "YandexLockbox configures this store to sync secrets using Yandex Lockbox provider" + properties: { + apiEndpoint: { + description: "Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')" + type: "string" + } + auth: { + description: "Auth defines the information necessary to authenticate against Yandex Lockbox" + properties: authorizedKeySecretRef: { + description: "The authorized key used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Yandex.Cloud server certificate." + properties: certSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + } + type: "object" + } + refreshInterval: { + description: "Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config." + type: "integer" + } + retrySettings: { + description: "Used to configure http retries if failed" + properties: { + maxRetries: { + format: "int32" + type: "integer" + } + retryInterval: type: "string" + } + type: "object" + } + } + required: ["provider"] + type: "object" + } + status: { + description: "SecretStoreStatus defines the observed state of the SecretStore." + properties: { + capabilities: { + description: "SecretStoreCapabilities defines the possible operations a SecretStore can do." + type: "string" + } + conditions: { + items: { + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + metadata: name: "ecrauthorizationtokens.generators.external-secrets.io" + spec: { + group: "generators.external-secrets.io" + names: { + categories: ["ecrauthorizationtoken"] + kind: "ECRAuthorizationToken" + listKind: "ECRAuthorizationTokenList" + plural: "ecrauthorizationtokens" + shortNames: ["ecrauthorizationtoken"] + singular: "ecrauthorizationtoken" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + properties: { + auth: { + description: "Auth defines how to authenticate with AWS" + properties: { + jwt: { + description: "Authenticate against AWS using service account tokens." + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + secretRef: { + description: "AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + sessionTokenSecretRef: { + description: "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + region: { + description: "Region specifies the region to operate in." + type: "string" + } + role: { + description: "You can assume a role before making calls to the desired AWS service." + type: "string" + } + } + required: ["region"] + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + metadata: name: "externalsecrets.external-secrets.io" + spec: { + group: "external-secrets.io" + names: { + categories: ["externalsecrets"] + kind: "ExternalSecret" + listKind: "ExternalSecretList" + plural: "externalsecrets" + shortNames: ["es"] + singular: "externalsecret" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + additionalPrinterColumns: [{ + jsonPath: ".spec.secretStoreRef.name" + name: "Store" + type: "string" + }, { + jsonPath: ".spec.refreshInterval" + name: "Refresh Interval" + type: "string" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }] + deprecated: true + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ExternalSecret is the Schema for the external-secrets API." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "ExternalSecretSpec defines the desired state of ExternalSecret." + properties: { + data: { + description: "Data defines the connection between the Kubernetes Secret keys and the Provider data" + items: { + description: "ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data." + properties: { + remoteRef: { + description: "ExternalSecretDataRemoteRef defines Provider data location." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + key: { + description: "Key is the key used in the Provider, mandatory" + type: "string" + } + property: { + description: "Used to select a specific property of the Provider value (if a map), if supported" + type: "string" + } + version: { + description: "Used to select a specific version of the Provider value, if supported" + type: "string" + } + } + required: ["key"] + type: "object" + } + secretKey: type: "string" + } + required: [ + "remoteRef", + "secretKey", + ] + type: "object" + } + type: "array" + } + dataFrom: { + description: "DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order" + items: { + description: "ExternalSecretDataRemoteRef defines Provider data location." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + key: { + description: "Key is the key used in the Provider, mandatory" + type: "string" + } + property: { + description: "Used to select a specific property of the Provider value (if a map), if supported" + type: "string" + } + version: { + description: "Used to select a specific version of the Provider value, if supported" + type: "string" + } + } + required: ["key"] + type: "object" + } + type: "array" + } + refreshInterval: { + default: "1h" + description: "RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\" May be set to zero to fetch and create it once. Defaults to 1h." + type: "string" + } + secretStoreRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: ["name"] + type: "object" + } + target: { + description: "ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret." + properties: { + creationPolicy: { + default: "Owner" + description: "CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'" + type: "string" + } + immutable: { + description: "Immutable defines if the final secret will be immutable" + type: "boolean" + } + name: { + description: "Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource" + type: "string" + } + template: { + description: "Template defines a blueprint for the created Secret resource." + properties: { + data: { + additionalProperties: type: "string" + type: "object" + } + engineVersion: { + default: "v1" + description: "EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]." + type: "string" + } + metadata: { + description: "ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint." + properties: { + annotations: { + additionalProperties: type: "string" + type: "object" + } + labels: { + additionalProperties: type: "string" + type: "object" + } + } + type: "object" + } + templateFrom: { + items: { + maxProperties: 1 + minProperties: 1 + properties: { + configMap: { + properties: { + items: { + items: { + properties: key: type: "string" + required: ["key"] + type: "object" + } + type: "array" + } + name: type: "string" + } + required: [ + "items", + "name", + ] + type: "object" + } + secret: { + properties: { + items: { + items: { + properties: key: type: "string" + required: ["key"] + type: "object" + } + type: "array" + } + name: type: "string" + } + required: [ + "items", + "name", + ] + type: "object" + } + } + type: "object" + } + type: "array" + } + type: type: "string" + } + type: "object" + } + } + type: "object" + } + } + required: [ + "secretStoreRef", + "target", + ] + type: "object" + } + status: { + properties: { + binding: { + description: "Binding represents a servicebinding.io Provisioned Service reference to the secret" + properties: name: { + description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + conditions: { + items: { + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + refreshTime: { + description: "refreshTime is the time and date the external secret was fetched and the target secret updated" + format: "date-time" + nullable: true + type: "string" + } + syncedResourceVersion: { + description: "SyncedResourceVersion keeps track of the last synced version" + type: "string" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: false + subresources: status: {} + }, { + additionalPrinterColumns: [{ + jsonPath: ".spec.secretStoreRef.name" + name: "Store" + type: "string" + }, { + jsonPath: ".spec.refreshInterval" + name: "Refresh Interval" + type: "string" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + name: "Ready" + type: "string" + }] + name: "v1beta1" + schema: openAPIV3Schema: { + description: "ExternalSecret is the Schema for the external-secrets API." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "ExternalSecretSpec defines the desired state of ExternalSecret." + properties: { + data: { + description: "Data defines the connection between the Kubernetes Secret keys and the Provider data" + items: { + description: "ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data." + properties: { + remoteRef: { + description: "RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + decodingStrategy: { + default: "None" + description: "Used to define a decoding Strategy" + type: "string" + } + key: { + description: "Key is the key used in the Provider, mandatory" + type: "string" + } + metadataPolicy: { + description: "Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None" + type: "string" + } + property: { + description: "Used to select a specific property of the Provider value (if a map), if supported" + type: "string" + } + version: { + description: "Used to select a specific version of the Provider value, if supported" + type: "string" + } + } + required: ["key"] + type: "object" + } + secretKey: { + description: "SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret" + type: "string" + } + sourceRef: { + description: "SourceRef allows you to override the source from which the value will pulled from." + maxProperties: 1 + properties: { + generatorRef: { + description: "GeneratorRef points to a generator custom resource in" + properties: { + apiVersion: { + default: "generators.external-secrets.io/v1alpha1" + description: "Specify the apiVersion of the generator resource" + type: "string" + } + kind: { + description: "Specify the Kind of the resource, e.g. Password, ACRAccessToken etc." + type: "string" + } + name: { + description: "Specify the name of the generator resource" + type: "string" + } + } + required: [ + "kind", + "name", + ] + type: "object" + } + storeRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: ["name"] + type: "object" + } + } + type: "object" + } + } + required: [ + "remoteRef", + "secretKey", + ] + type: "object" + } + type: "array" + } + dataFrom: { + description: "DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order" + items: { + properties: { + extract: { + description: "Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + decodingStrategy: { + default: "None" + description: "Used to define a decoding Strategy" + type: "string" + } + key: { + description: "Key is the key used in the Provider, mandatory" + type: "string" + } + metadataPolicy: { + description: "Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None" + type: "string" + } + property: { + description: "Used to select a specific property of the Provider value (if a map), if supported" + type: "string" + } + version: { + description: "Used to select a specific version of the Provider value, if supported" + type: "string" + } + } + required: ["key"] + type: "object" + } + find: { + description: "Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + decodingStrategy: { + default: "None" + description: "Used to define a decoding Strategy" + type: "string" + } + name: { + description: "Finds secrets based on the name." + properties: regexp: { + description: "Finds secrets base" + type: "string" + } + type: "object" + } + path: { + description: "A root path to start the find operations." + type: "string" + } + tags: { + additionalProperties: type: "string" + description: "Find secrets based on tags." + type: "object" + } + } + type: "object" + } + rewrite: { + description: "Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)" + items: { + properties: regexp: { + description: "Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation." + properties: { + source: { + description: "Used to define the regular expression of a re.Compiler." + type: "string" + } + target: { + description: "Used to define the target pattern of a ReplaceAll operation." + type: "string" + } + } + required: [ + "source", + "target", + ] + type: "object" + } + type: "object" + } + type: "array" + } + sourceRef: { + description: "SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values" + maxProperties: 1 + properties: { + generatorRef: { + description: "GeneratorRef points to a generator custom resource in" + properties: { + apiVersion: { + default: "generators.external-secrets.io/v1alpha1" + description: "Specify the apiVersion of the generator resource" + type: "string" + } + kind: { + description: "Specify the Kind of the resource, e.g. Password, ACRAccessToken etc." + type: "string" + } + name: { + description: "Specify the name of the generator resource" + type: "string" + } + } + required: [ + "kind", + "name", + ] + type: "object" + } + storeRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: ["name"] + type: "object" + } + } + type: "object" + } + } + type: "object" + } + type: "array" + } + refreshInterval: { + default: "1h" + description: "RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\" May be set to zero to fetch and create it once. Defaults to 1h." + type: "string" + } + secretStoreRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: ["name"] + type: "object" + } + target: { + default: { + creationPolicy: "Owner" + deletionPolicy: "Retain" + } + description: "ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret." + properties: { + creationPolicy: { + default: "Owner" + description: "CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'" + enum: [ + "Owner", + "Orphan", + "Merge", + "None", + ] + type: "string" + } + deletionPolicy: { + default: "Retain" + description: "DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'" + enum: [ + "Delete", + "Merge", + "Retain", + ] + type: "string" + } + immutable: { + description: "Immutable defines if the final secret will be immutable" + type: "boolean" + } + name: { + description: "Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource" + type: "string" + } + template: { + description: "Template defines a blueprint for the created Secret resource." + properties: { + data: { + additionalProperties: type: "string" + type: "object" + } + engineVersion: { + default: "v2" + type: "string" + } + mergePolicy: { + default: "Replace" + type: "string" + } + metadata: { + description: "ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint." + properties: { + annotations: { + additionalProperties: type: "string" + type: "object" + } + labels: { + additionalProperties: type: "string" + type: "object" + } + } + type: "object" + } + templateFrom: { + items: { + properties: { + configMap: { + properties: { + items: { + items: { + properties: { + key: type: "string" + templateAs: { + default: "Values" + type: "string" + } + } + required: ["key"] + type: "object" + } + type: "array" + } + name: type: "string" + } + required: [ + "items", + "name", + ] + type: "object" + } + literal: type: "string" + secret: { + properties: { + items: { + items: { + properties: { + key: type: "string" + templateAs: { + default: "Values" + type: "string" + } + } + required: ["key"] + type: "object" + } + type: "array" + } + name: type: "string" + } + required: [ + "items", + "name", + ] + type: "object" + } + target: { + default: "Data" + type: "string" + } + } + type: "object" + } + type: "array" + } + type: type: "string" + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + status: { + properties: { + binding: { + description: "Binding represents a servicebinding.io Provisioned Service reference to the secret" + properties: name: { + description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + conditions: { + items: { + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + refreshTime: { + description: "refreshTime is the time and date the external secret was fetched and the target secret updated" + format: "date-time" + nullable: true + type: "string" + } + syncedResourceVersion: { + description: "SyncedResourceVersion keeps track of the last synced version" + type: "string" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + metadata: name: "fakes.generators.external-secrets.io" + spec: { + group: "generators.external-secrets.io" + names: { + categories: ["fake"] + kind: "Fake" + listKind: "FakeList" + plural: "fakes" + shortNames: ["fake"] + singular: "fake" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "Fake generator is used for testing. It lets you define a static set of credentials that is always returned." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "FakeSpec contains the static data." + properties: { + controller: { + description: "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property" + type: "string" + } + data: { + additionalProperties: type: "string" + description: "Data defines the static data returned by this generator." + type: "object" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + metadata: name: "gcraccesstokens.generators.external-secrets.io" + spec: { + group: "generators.external-secrets.io" + names: { + categories: ["gcraccesstoken"] + kind: "GCRAccessToken" + listKind: "GCRAccessTokenList" + plural: "gcraccesstokens" + shortNames: ["gcraccesstoken"] + singular: "gcraccesstoken" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "GCRAccessToken generates an GCP access token that can be used to authenticate with GCR." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + properties: { + auth: { + description: "Auth defines the means for authenticating with GCP" + properties: { + secretRef: { + properties: secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + workloadIdentity: { + properties: { + clusterLocation: type: "string" + clusterName: type: "string" + clusterProjectID: type: "string" + serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "clusterLocation", + "clusterName", + "serviceAccountRef", + ] + type: "object" + } + } + type: "object" + } + projectID: { + description: "ProjectID defines which project to use to authenticate with" + type: "string" + } + } + required: [ + "auth", + "projectID", + ] + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + metadata: name: "passwords.generators.external-secrets.io" + spec: { + group: "generators.external-secrets.io" + names: { + categories: ["password"] + kind: "Password" + listKind: "PasswordList" + plural: "passwords" + shortNames: ["password"] + singular: "password" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "PasswordSpec controls the behavior of the password generator." + properties: { + allowRepeat: { + default: false + description: "set AllowRepeat to true to allow repeating characters." + type: "boolean" + } + digits: { + description: "Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password" + type: "integer" + } + length: { + default: 24 + description: "Length of the password to be generated. Defaults to 24" + type: "integer" + } + noUpper: { + default: false + description: "Set NoUpper to disable uppercase characters" + type: "boolean" + } + symbolCharacters: { + description: "SymbolCharacters specifies the special characters that should be used in the generated password." + type: "string" + } + symbols: { + description: "Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password" + type: "integer" + } + } + required: [ + "allowRepeat", + "length", + "noUpper", + ] + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + metadata: name: "pushsecrets.external-secrets.io" + spec: { + group: "external-secrets.io" + names: { + categories: ["pushsecrets"] + kind: "PushSecret" + listKind: "PushSecretList" + plural: "pushsecrets" + singular: "pushsecret" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + additionalPrinterColumns: [{ + jsonPath: ".metadata.creationTimestamp" + name: "AGE" + type: "date" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "PushSecretSpec configures the behavior of the PushSecret." + properties: { + data: { + description: "Secret Data that should be pushed to providers" + items: { + properties: { + match: { + description: "Match a given Secret Key to be pushed to the provider." + properties: { + remoteRef: { + description: "Remote Refs to push to providers." + properties: { + property: { + description: "Name of the property in the resulting secret" + type: "string" + } + remoteKey: { + description: "Name of the resulting provider secret." + type: "string" + } + } + required: ["remoteKey"] + type: "object" + } + secretKey: { + description: "Secret Key to be pushed" + type: "string" + } + } + required: [ + "remoteRef", + "secretKey", + ] + type: "object" + } + metadata: { + description: "Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation." + "x-kubernetes-preserve-unknown-fields": true + } + } + required: ["match"] + type: "object" + } + type: "array" + } + deletionPolicy: { + default: "None" + description: "Deletion Policy to handle Secrets in the provider. Possible Values: \"Delete/None\". Defaults to \"None\"." + type: "string" + } + refreshInterval: { + description: "The Interval to which External Secrets will try to push a secret definition" + type: "string" + } + secretStoreRefs: { + items: { + properties: { + kind: { + default: "SecretStore" + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + labelSelector: { + description: "Optionally, sync to secret stores with label selector" + properties: { + matchExpressions: { + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: { + description: "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values." + properties: { + key: { + description: "key is the label key that the selector applies to." + type: "string" + } + operator: { + description: "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + } + values: { + description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch." + items: type: "string" + type: "array" + } + } + required: [ + "key", + "operator", + ] + type: "object" + } + type: "array" + } + matchLabels: { + additionalProperties: type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + } + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + name: { + description: "Optionally, sync to the SecretStore of the given name" + type: "string" + } + } + type: "object" + } + type: "array" + } + selector: { + description: "The Secret Selector (k8s source) for the Push Secret" + properties: secret: { + description: "Select a Secret to Push." + properties: name: { + description: "Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest." + type: "string" + } + required: ["name"] + type: "object" + } + required: ["secret"] + type: "object" + } + } + required: [ + "secretStoreRefs", + "selector", + ] + type: "object" + } + status: { + description: "PushSecretStatus indicates the history of the status of PushSecret." + properties: { + conditions: { + items: { + description: "PushSecretStatusCondition indicates the status of the PushSecret." + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: { + description: "PushSecretConditionType indicates the condition of the PushSecret." + type: "string" + } + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + refreshTime: { + description: "refreshTime is the time and date the external secret was fetched and the target secret updated" + format: "date-time" + nullable: true + type: "string" + } + syncedPushSecrets: { + additionalProperties: { + additionalProperties: { + properties: { + match: { + description: "Match a given Secret Key to be pushed to the provider." + properties: { + remoteRef: { + description: "Remote Refs to push to providers." + properties: { + property: { + description: "Name of the property in the resulting secret" + type: "string" + } + remoteKey: { + description: "Name of the resulting provider secret." + type: "string" + } + } + required: ["remoteKey"] + type: "object" + } + secretKey: { + description: "Secret Key to be pushed" + type: "string" + } + } + required: [ + "remoteRef", + "secretKey", + ] + type: "object" + } + metadata: { + description: "Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation." + "x-kubernetes-preserve-unknown-fields": true + } + } + required: ["match"] + type: "object" + } + type: "object" + } + description: "Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore." + type: "object" + } + syncedResourceVersion: { + description: "SyncedResourceVersion keeps track of the last synced version." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + metadata: name: "secretstores.external-secrets.io" + spec: { + group: "external-secrets.io" + names: { + categories: ["externalsecrets"] + kind: "SecretStore" + listKind: "SecretStoreList" + plural: "secretstores" + shortNames: ["ss"] + singular: "secretstore" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + additionalPrinterColumns: [{ + jsonPath: ".metadata.creationTimestamp" + name: "AGE" + type: "date" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }] + deprecated: true + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "SecretStoreSpec defines the desired state of SecretStore." + properties: { + controller: { + description: "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property" + type: "string" + } + provider: { + description: "Used to configure the provider. Only one provider may be set" + maxProperties: 1 + minProperties: 1 + properties: { + akeyless: { + description: "Akeyless configures this store to sync secrets using Akeyless Vault provider" + properties: { + akeylessGWApiURL: { + description: "Akeyless GW API Url from which the secrets to be fetched from." + type: "string" + } + authSecretRef: { + description: "Auth configures how the operator authenticates with Akeyless." + properties: { + kubernetesAuth: { + description: "Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource." + properties: { + accessID: { + description: "the Akeyless Kubernetes auth-method access-id" + type: "string" + } + k8sConfName: { + description: "Kubernetes-auth configuration name in Akeyless-Gateway" + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "accessID", + "k8sConfName", + ] + type: "object" + } + secretRef: { + description: "Reference to a Secret that contains the details to authenticate with Akeyless." + properties: { + accessID: { + description: "The SecretAccessID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessType: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessTypeParam: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Akeyless Gateway certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + } + required: [ + "akeylessGWApiURL", + "authSecretRef", + ] + type: "object" + } + alibaba: { + description: "Alibaba configures this store to sync secrets using Alibaba Cloud provider" + properties: { + auth: { + description: "AlibabaAuth contains a secretRef for credentials." + properties: { + rrsa: { + description: "Authenticate against Alibaba using RRSA." + properties: { + oidcProviderArn: type: "string" + oidcTokenFilePath: type: "string" + roleArn: type: "string" + sessionName: type: "string" + } + required: [ + "oidcProviderArn", + "oidcTokenFilePath", + "roleArn", + "sessionName", + ] + type: "object" + } + secretRef: { + description: "AlibabaAuthSecretRef holds secret references for Alibaba credentials." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessKeySecretSecretRef: { + description: "The AccessKeySecret is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "accessKeyIDSecretRef", + "accessKeySecretSecretRef", + ] + type: "object" + } + } + type: "object" + } + regionID: { + description: "Alibaba Region to be used for the provider" + type: "string" + } + } + required: [ + "auth", + "regionID", + ] + type: "object" + } + aws: { + description: "AWS configures this store to sync secrets using AWS Secret Manager provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" + properties: { + jwt: { + description: "Authenticate against AWS using service account tokens." + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + secretRef: { + description: "AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + region: { + description: "AWS Region to be used for the provider" + type: "string" + } + role: { + description: "Role is a Role ARN which the SecretManager provider will assume" + type: "string" + } + service: { + description: "Service defines which service should be used to fetch the secrets" + enum: [ + "SecretsManager", + "ParameterStore", + ] + type: "string" + } + } + required: [ + "region", + "service", + ] + type: "object" + } + azurekv: { + description: "AzureKV configures this store to sync secrets using Azure Key Vault provider" + properties: { + authSecretRef: { + description: "Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type." + properties: { + clientId: { + description: "The Azure clientId of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "The Azure ClientSecret of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + authType: { + default: "ServicePrincipal" + description: "Auth type defines how to authenticate to the keyvault service. Valid values are: - \"ServicePrincipal\" (default): Using a service principal (tenantId, clientId, clientSecret) - \"ManagedIdentity\": Using Managed Identity assigned to the pod (see aad-pod-identity)" + enum: [ + "ServicePrincipal", + "ManagedIdentity", + "WorkloadIdentity", + ] + type: "string" + } + identityId: { + description: "If multiple Managed Identity is assigned to the pod, you can select the one to be used" + type: "string" + } + serviceAccountRef: { + description: "ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + tenantId: { + description: "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type." + type: "string" + } + vaultUrl: { + description: "Vault Url from which the secrets to be fetched from." + type: "string" + } + } + required: ["vaultUrl"] + type: "object" + } + fake: { + description: "Fake configures a store with static key/value pairs" + properties: data: { + items: { + properties: { + key: type: "string" + value: type: "string" + valueMap: { + additionalProperties: type: "string" + type: "object" + } + version: type: "string" + } + required: ["key"] + type: "object" + } + type: "array" + } + required: ["data"] + type: "object" + } + gcpsm: { + description: "GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against GCP" + properties: { + secretRef: { + properties: secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + workloadIdentity: { + properties: { + clusterLocation: type: "string" + clusterName: type: "string" + clusterProjectID: type: "string" + serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "clusterLocation", + "clusterName", + "serviceAccountRef", + ] + type: "object" + } + } + type: "object" + } + projectID: { + description: "ProjectID project where secret is located" + type: "string" + } + } + type: "object" + } + gitlab: { + description: "GitLab configures this store to sync secrets using GitLab Variables provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a GitLab instance." + properties: SecretRef: { + properties: accessToken: { + description: "AccessToken is used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + required: ["SecretRef"] + type: "object" + } + projectID: { + description: "ProjectID specifies a project where secrets are located." + type: "string" + } + url: { + description: "URL configures the GitLab instance URL. Defaults to https://gitlab.com/." + type: "string" + } + } + required: ["auth"] + type: "object" + } + ibm: { + description: "IBM configures this store to sync secrets using IBM Cloud provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the IBM secrets manager." + properties: secretRef: { + properties: secretApiKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + required: ["secretRef"] + type: "object" + } + serviceUrl: { + description: "ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance" + type: "string" + } + } + required: ["auth"] + type: "object" + } + kubernetes: { + description: "Kubernetes configures this store to sync secrets using a Kubernetes cluster provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a Kubernetes instance." + maxProperties: 1 + minProperties: 1 + properties: { + cert: { + description: "has both clientCert and clientKey as secretKeySelector" + properties: { + clientCert: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientKey: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + serviceAccount: { + description: "points to a service account that should be used for authentication" + properties: serviceAccount: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + token: { + description: "use static token to authenticate with" + properties: bearerToken: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + type: "object" + } + remoteNamespace: { + default: "default" + description: "Remote namespace to fetch the secrets from" + type: "string" + } + server: { + description: "configures the Kubernetes server Address." + properties: { + caBundle: { + description: "CABundle is a base64-encoded CA certificate" + format: "byte" + type: "string" + } + caProvider: { + description: "see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider" + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + url: { + default: "kubernetes.default" + description: "configures the Kubernetes server Address." + type: "string" + } + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + oracle: { + description: "Oracle configures this store to sync secrets using Oracle Vault provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth." + properties: { + secretRef: { + description: "SecretRef to pass through sensitive information." + properties: { + fingerprint: { + description: "Fingerprint is the fingerprint of the API private key." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + privatekey: { + description: "PrivateKey is the user's API Signing Key in PEM format, used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "fingerprint", + "privatekey", + ] + type: "object" + } + tenancy: { + description: "Tenancy is the tenancy OCID where user is located." + type: "string" + } + user: { + description: "User is an access OCID specific to the account." + type: "string" + } + } + required: [ + "secretRef", + "tenancy", + "user", + ] + type: "object" + } + region: { + description: "Region is the region where vault is located." + type: "string" + } + vault: { + description: "Vault is the vault's OCID of the specific vault where secret is located." + type: "string" + } + } + required: [ + "region", + "vault", + ] + type: "object" + } + vault: { + description: "Vault configures this store to sync secrets using Hashi provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Vault server." + properties: { + appRole: { + description: "AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource." + properties: { + path: { + default: "approle" + description: "Path where the App Role authentication backend is mounted in Vault, e.g: \"approle\"" + type: "string" + } + roleId: { + description: "RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault." + type: "string" + } + secretRef: { + description: "Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "path", + "roleId", + "secretRef", + ] + type: "object" + } + cert: { + description: "Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method" + properties: { + clientCert: { + description: "ClientCert is a certificate to authenticate using the Cert Vault authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + jwt: { + description: "Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method" + properties: { + kubernetesServiceAccountToken: { + description: "Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API." + properties: { + audiences: { + description: "Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified." + items: type: "string" + type: "array" + } + expirationSeconds: { + description: "Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes." + format: "int64" + type: "integer" + } + serviceAccountRef: { + description: "Service account field containing the name of a kubernetes ServiceAccount." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: ["serviceAccountRef"] + type: "object" + } + path: { + default: "jwt" + description: "Path where the JWT authentication backend is mounted in Vault, e.g: \"jwt\"" + type: "string" + } + role: { + description: "Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method" + type: "string" + } + secretRef: { + description: "Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: ["path"] + type: "object" + } + kubernetes: { + description: "Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server." + properties: { + mountPath: { + default: "kubernetes" + description: "Path where the Kubernetes authentication backend is mounted in Vault, e.g: \"kubernetes\"" + type: "string" + } + role: { + description: "A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies." + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "mountPath", + "role", + ] + type: "object" + } + ldap: { + description: "Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method" + properties: { + path: { + default: "ldap" + description: "Path where the LDAP authentication backend is mounted in Vault, e.g: \"ldap\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a LDAP user name used to authenticate using the LDAP Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + tokenSecretRef: { + description: "TokenSecretRef authenticates with Vault by presenting a token." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Vault server certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + forwardInconsistent: { + description: "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header" + type: "boolean" + } + namespace: { + description: "Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces" + type: "string" + } + path: { + description: "Path is the mount path of the Vault KV backend endpoint, e.g: \"secret\". The v2 KV secret engine version specific \"/data\" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path." + type: "string" + } + readYourWrites: { + description: "ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency" + type: "boolean" + } + server: { + description: "Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\"." + type: "string" + } + version: { + default: "v2" + description: "Version is the Vault KV secret engine version. This can be either \"v1\" or \"v2\". Version defaults to \"v2\"." + enum: [ + "v1", + "v2", + ] + type: "string" + } + } + required: [ + "auth", + "server", + ] + type: "object" + } + webhook: { + description: "Webhook configures this store to sync secrets using a generic templated webhook" + properties: { + body: { + description: "Body" + type: "string" + } + caBundle: { + description: "PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate webhook server certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + headers: { + additionalProperties: type: "string" + description: "Headers" + type: "object" + } + method: { + description: "Webhook Method" + type: "string" + } + result: { + description: "Result formatting" + properties: jsonPath: { + description: "Json path of return value" + type: "string" + } + type: "object" + } + secrets: { + description: "Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name" + items: { + properties: { + name: { + description: "Name of this secret in templates" + type: "string" + } + secretRef: { + description: "Secret ref to fill in credentials" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "name", + "secretRef", + ] + type: "object" + } + type: "array" + } + timeout: { + description: "Timeout" + type: "string" + } + url: { + description: "Webhook url to call" + type: "string" + } + } + required: [ + "result", + "url", + ] + type: "object" + } + yandexlockbox: { + description: "YandexLockbox configures this store to sync secrets using Yandex Lockbox provider" + properties: { + apiEndpoint: { + description: "Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')" + type: "string" + } + auth: { + description: "Auth defines the information necessary to authenticate against Yandex Lockbox" + properties: authorizedKeySecretRef: { + description: "The authorized key used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Yandex.Cloud server certificate." + properties: certSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + } + type: "object" + } + retrySettings: { + description: "Used to configure http retries if failed" + properties: { + maxRetries: { + format: "int32" + type: "integer" + } + retryInterval: type: "string" + } + type: "object" + } + } + required: ["provider"] + type: "object" + } + status: { + description: "SecretStoreStatus defines the observed state of the SecretStore." + properties: conditions: { + items: { + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + type: "object" + } + } + type: "object" + } + served: true + storage: false + subresources: status: {} + }, { + additionalPrinterColumns: [{ + jsonPath: ".metadata.creationTimestamp" + name: "AGE" + type: "date" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }, { + jsonPath: ".status.capabilities" + name: "Capabilities" + type: "string" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + name: "Ready" + type: "string" + }] + name: "v1beta1" + schema: openAPIV3Schema: { + description: "SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "SecretStoreSpec defines the desired state of SecretStore." + properties: { + conditions: { + description: "Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore" + items: { + description: "ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance." + properties: { + namespaceSelector: { + description: "Choose namespace using a labelSelector" + properties: { + matchExpressions: { + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: { + description: "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values." + properties: { + key: { + description: "key is the label key that the selector applies to." + type: "string" + } + operator: { + description: "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + } + values: { + description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch." + items: type: "string" + type: "array" + } + } + required: [ + "key", + "operator", + ] + type: "object" + } + type: "array" + } + matchLabels: { + additionalProperties: type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + } + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + namespaces: { + description: "Choose namespaces by name" + items: type: "string" + type: "array" + } + } + type: "object" + } + type: "array" + } + controller: { + description: "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property" + type: "string" + } + provider: { + description: "Used to configure the provider. Only one provider may be set" + maxProperties: 1 + minProperties: 1 + properties: { + akeyless: { + description: "Akeyless configures this store to sync secrets using Akeyless Vault provider" + properties: { + akeylessGWApiURL: { + description: "Akeyless GW API Url from which the secrets to be fetched from." + type: "string" + } + authSecretRef: { + description: "Auth configures how the operator authenticates with Akeyless." + properties: { + kubernetesAuth: { + description: "Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource." + properties: { + accessID: { + description: "the Akeyless Kubernetes auth-method access-id" + type: "string" + } + k8sConfName: { + description: "Kubernetes-auth configuration name in Akeyless-Gateway" + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "accessID", + "k8sConfName", + ] + type: "object" + } + secretRef: { + description: "Reference to a Secret that contains the details to authenticate with Akeyless." + properties: { + accessID: { + description: "The SecretAccessID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessType: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessTypeParam: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Akeyless Gateway certificate." + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + } + required: [ + "akeylessGWApiURL", + "authSecretRef", + ] + type: "object" + } + alibaba: { + description: "Alibaba configures this store to sync secrets using Alibaba Cloud provider" + properties: { + auth: { + description: "AlibabaAuth contains a secretRef for credentials." + properties: { + rrsa: { + description: "Authenticate against Alibaba using RRSA." + properties: { + oidcProviderArn: type: "string" + oidcTokenFilePath: type: "string" + roleArn: type: "string" + sessionName: type: "string" + } + required: [ + "oidcProviderArn", + "oidcTokenFilePath", + "roleArn", + "sessionName", + ] + type: "object" + } + secretRef: { + description: "AlibabaAuthSecretRef holds secret references for Alibaba credentials." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessKeySecretSecretRef: { + description: "The AccessKeySecret is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "accessKeyIDSecretRef", + "accessKeySecretSecretRef", + ] + type: "object" + } + } + type: "object" + } + regionID: { + description: "Alibaba Region to be used for the provider" + type: "string" + } + } + required: [ + "auth", + "regionID", + ] + type: "object" + } + aws: { + description: "AWS configures this store to sync secrets using AWS Secret Manager provider" + properties: { + additionalRoles: { + description: "AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role" + items: type: "string" + type: "array" + } + auth: { + description: "Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" + properties: { + jwt: { + description: "Authenticate against AWS using service account tokens." + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + secretRef: { + description: "AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + sessionTokenSecretRef: { + description: "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + externalID: { + description: "AWS External ID set on assumed IAM roles" + type: "string" + } + region: { + description: "AWS Region to be used for the provider" + type: "string" + } + role: { + description: "Role is a Role ARN which the SecretManager provider will assume" + type: "string" + } + service: { + description: "Service defines which service should be used to fetch the secrets" + enum: [ + "SecretsManager", + "ParameterStore", + ] + type: "string" + } + sessionTags: { + description: "AWS STS assume role session tags" + items: { + properties: { + key: type: "string" + value: type: "string" + } + required: [ + "key", + "value", + ] + type: "object" + } + type: "array" + } + transitiveTagKeys: { + description: "AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore" + items: type: "string" + type: "array" + } + } + required: [ + "region", + "service", + ] + type: "object" + } + azurekv: { + description: "AzureKV configures this store to sync secrets using Azure Key Vault provider" + properties: { + authSecretRef: { + description: "Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type." + properties: { + clientId: { + description: "The Azure clientId of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "The Azure ClientSecret of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + authType: { + default: "ServicePrincipal" + description: "Auth type defines how to authenticate to the keyvault service. Valid values are: - \"ServicePrincipal\" (default): Using a service principal (tenantId, clientId, clientSecret) - \"ManagedIdentity\": Using Managed Identity assigned to the pod (see aad-pod-identity)" + enum: [ + "ServicePrincipal", + "ManagedIdentity", + "WorkloadIdentity", + ] + type: "string" + } + environmentType: { + default: "PublicCloud" + description: "EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud" + enum: [ + "PublicCloud", + "USGovernmentCloud", + "ChinaCloud", + "GermanCloud", + ] + type: "string" + } + identityId: { + description: "If multiple Managed Identity is assigned to the pod, you can select the one to be used" + type: "string" + } + serviceAccountRef: { + description: "ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + tenantId: { + description: "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type." + type: "string" + } + vaultUrl: { + description: "Vault Url from which the secrets to be fetched from." + type: "string" + } + } + required: ["vaultUrl"] + type: "object" + } + conjur: { + description: "Conjur configures this store to sync secrets using conjur provider" + properties: { + auth: { + properties: apikey: { + properties: { + account: type: "string" + apiKeyRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + userRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "account", + "apiKeyRef", + "userRef", + ] + type: "object" + } + required: ["apikey"] + type: "object" + } + caBundle: type: "string" + url: type: "string" + } + required: [ + "auth", + "url", + ] + type: "object" + } + delinea: { + description: "Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current" + properties: { + clientId: { + description: "ClientID is the non-secret part of the credential." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "ClientSecret is the secret part of the credential." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + tenant: { + description: "Tenant is the chosen hostname / site name." + type: "string" + } + tld: { + description: "TLD is based on the server location that was chosen during provisioning. If unset, defaults to \"com\"." + type: "string" + } + urlTemplate: { + description: "URLTemplate If unset, defaults to \"https://%s.secretsvaultcloud.%s/v1/%s%s\"." + type: "string" + } + } + required: [ + "clientId", + "clientSecret", + "tenant", + ] + type: "object" + } + doppler: { + description: "Doppler configures this store to sync secrets using the Doppler provider" + properties: { + auth: { + description: "Auth configures how the Operator authenticates with the Doppler API" + properties: secretRef: { + properties: dopplerToken: { + description: "The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + required: ["dopplerToken"] + type: "object" + } + required: ["secretRef"] + type: "object" + } + config: { + description: "Doppler config (required if not using a Service Token)" + type: "string" + } + format: { + description: "Format enables the downloading of secrets as a file (string)" + enum: [ + "json", + "dotnet-json", + "env", + "yaml", + "docker", + ] + type: "string" + } + nameTransformer: { + description: "Environment variable compatible name transforms that change secret names to a different format" + enum: [ + "upper-camel", + "camel", + "lower-snake", + "tf-var", + "dotnet-env", + "lower-kebab", + ] + type: "string" + } + project: { + description: "Doppler project (required if not using a Service Token)" + type: "string" + } + } + required: ["auth"] + type: "object" + } + fake: { + description: "Fake configures a store with static key/value pairs" + properties: data: { + items: { + properties: { + key: type: "string" + value: type: "string" + valueMap: { + additionalProperties: type: "string" + type: "object" + } + version: type: "string" + } + required: ["key"] + type: "object" + } + type: "array" + } + required: ["data"] + type: "object" + } + gcpsm: { + description: "GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against GCP" + properties: { + secretRef: { + properties: secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + workloadIdentity: { + properties: { + clusterLocation: type: "string" + clusterName: type: "string" + clusterProjectID: type: "string" + serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "clusterLocation", + "clusterName", + "serviceAccountRef", + ] + type: "object" + } + } + type: "object" + } + projectID: { + description: "ProjectID project where secret is located" + type: "string" + } + } + type: "object" + } + gitlab: { + description: "GitLab configures this store to sync secrets using GitLab Variables provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a GitLab instance." + properties: SecretRef: { + properties: accessToken: { + description: "AccessToken is used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + required: ["SecretRef"] + type: "object" + } + environment: { + description: "Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)" + type: "string" + } + groupIDs: { + description: "GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables." + items: type: "string" + type: "array" + } + inheritFromGroups: { + description: "InheritFromGroups specifies whether parent groups should be discovered and checked for secrets." + type: "boolean" + } + projectID: { + description: "ProjectID specifies a project where secrets are located." + type: "string" + } + url: { + description: "URL configures the GitLab instance URL. Defaults to https://gitlab.com/." + type: "string" + } + } + required: ["auth"] + type: "object" + } + ibm: { + description: "IBM configures this store to sync secrets using IBM Cloud provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the IBM secrets manager." + maxProperties: 1 + minProperties: 1 + properties: { + containerAuth: { + description: "IBM Container-based auth with IAM Trusted Profile." + properties: { + iamEndpoint: type: "string" + profile: { + description: "the IBM Trusted Profile" + type: "string" + } + tokenLocation: { + description: "Location the token is mounted on the pod" + type: "string" + } + } + required: ["profile"] + type: "object" + } + secretRef: { + properties: secretApiKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + type: "object" + } + serviceUrl: { + description: "ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance" + type: "string" + } + } + required: ["auth"] + type: "object" + } + keepersecurity: { + description: "KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider" + properties: { + authRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + folderID: type: "string" + } + required: [ + "authRef", + "folderID", + ] + type: "object" + } + kubernetes: { + description: "Kubernetes configures this store to sync secrets using a Kubernetes cluster provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a Kubernetes instance." + maxProperties: 1 + minProperties: 1 + properties: { + cert: { + description: "has both clientCert and clientKey as secretKeySelector" + properties: { + clientCert: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientKey: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + serviceAccount: { + description: "points to a service account that should be used for authentication" + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + token: { + description: "use static token to authenticate with" + properties: bearerToken: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + type: "object" + } + remoteNamespace: { + default: "default" + description: "Remote namespace to fetch the secrets from" + type: "string" + } + server: { + description: "configures the Kubernetes server Address." + properties: { + caBundle: { + description: "CABundle is a base64-encoded CA certificate" + format: "byte" + type: "string" + } + caProvider: { + description: "see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider" + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + url: { + default: "kubernetes.default" + description: "configures the Kubernetes server Address." + type: "string" + } + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + onepassword: { + description: "OnePassword configures this store to sync secrets using the 1Password Cloud provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against OnePassword Connect Server" + properties: secretRef: { + description: "OnePasswordAuthSecretRef holds secret references for 1Password credentials." + properties: connectTokenSecretRef: { + description: "The ConnectToken is used for authentication to a 1Password Connect Server." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + required: ["connectTokenSecretRef"] + type: "object" + } + required: ["secretRef"] + type: "object" + } + connectHost: { + description: "ConnectHost defines the OnePassword Connect Server to connect to" + type: "string" + } + vaults: { + additionalProperties: type: "integer" + description: "Vaults defines which OnePassword vaults to search in which order" + type: "object" + } + } + required: [ + "auth", + "connectHost", + "vaults", + ] + type: "object" + } + oracle: { + description: "Oracle configures this store to sync secrets using Oracle Vault provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth." + properties: { + secretRef: { + description: "SecretRef to pass through sensitive information." + properties: { + fingerprint: { + description: "Fingerprint is the fingerprint of the API private key." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + privatekey: { + description: "PrivateKey is the user's API Signing Key in PEM format, used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "fingerprint", + "privatekey", + ] + type: "object" + } + tenancy: { + description: "Tenancy is the tenancy OCID where user is located." + type: "string" + } + user: { + description: "User is an access OCID specific to the account." + type: "string" + } + } + required: [ + "secretRef", + "tenancy", + "user", + ] + type: "object" + } + region: { + description: "Region is the region where vault is located." + type: "string" + } + vault: { + description: "Vault is the vault's OCID of the specific vault where secret is located." + type: "string" + } + } + required: [ + "region", + "vault", + ] + type: "object" + } + scaleway: { + description: "Scaleway" + properties: { + accessKey: { + description: "AccessKey is the non-secret part of the api key." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + apiUrl: { + description: "APIURL is the url of the api to use. Defaults to https://api.scaleway.com" + type: "string" + } + projectId: { + description: "ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings" + type: "string" + } + region: { + description: "Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone" + type: "string" + } + secretKey: { + description: "SecretKey is the non-secret part of the api key." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + } + required: [ + "accessKey", + "projectId", + "region", + "secretKey", + ] + type: "object" + } + senhasegura: { + description: "Senhasegura configures this store to sync secrets using senhasegura provider" + properties: { + auth: { + description: "Auth defines parameters to authenticate in senhasegura" + properties: { + clientId: type: "string" + clientSecretSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "clientId", + "clientSecretSecretRef", + ] + type: "object" + } + ignoreSslCertificate: { + default: false + description: "IgnoreSslCertificate defines if SSL certificate must be ignored" + type: "boolean" + } + module: { + description: "Module defines which senhasegura module should be used to get secrets" + type: "string" + } + url: { + description: "URL of senhasegura" + type: "string" + } + } + required: [ + "auth", + "module", + "url", + ] + type: "object" + } + vault: { + description: "Vault configures this store to sync secrets using Hashi provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Vault server." + properties: { + appRole: { + description: "AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource." + properties: { + path: { + default: "approle" + description: "Path where the App Role authentication backend is mounted in Vault, e.g: \"approle\"" + type: "string" + } + roleId: { + description: "RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault." + type: "string" + } + roleRef: { + description: "Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "path", + "secretRef", + ] + type: "object" + } + cert: { + description: "Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method" + properties: { + clientCert: { + description: "ClientCert is a certificate to authenticate using the Cert Vault authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + iam: { + description: "Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method" + properties: { + externalID: { + description: "AWS External ID set on assumed IAM roles" + type: "string" + } + jwt: { + description: "Specify a service account with IRSA enabled" + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + path: { + description: "Path where the AWS auth method is enabled in Vault, e.g: \"aws\"" + type: "string" + } + region: { + description: "AWS region" + type: "string" + } + role: { + description: "This is the AWS role to be assumed before talking to vault" + type: "string" + } + secretRef: { + description: "Specify credentials in a Secret object" + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + sessionTokenSecretRef: { + description: "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + vaultAwsIamServerID: { + description: "X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws" + type: "string" + } + vaultRole: { + description: "Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine" + type: "string" + } + } + required: ["vaultRole"] + type: "object" + } + jwt: { + description: "Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method" + properties: { + kubernetesServiceAccountToken: { + description: "Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API." + properties: { + audiences: { + description: "Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead" + items: type: "string" + type: "array" + } + expirationSeconds: { + description: "Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes." + format: "int64" + type: "integer" + } + serviceAccountRef: { + description: "Service account field containing the name of a kubernetes ServiceAccount." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: ["serviceAccountRef"] + type: "object" + } + path: { + default: "jwt" + description: "Path where the JWT authentication backend is mounted in Vault, e.g: \"jwt\"" + type: "string" + } + role: { + description: "Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method" + type: "string" + } + secretRef: { + description: "Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: ["path"] + type: "object" + } + kubernetes: { + description: "Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server." + properties: { + mountPath: { + default: "kubernetes" + description: "Path where the Kubernetes authentication backend is mounted in Vault, e.g: \"kubernetes\"" + type: "string" + } + role: { + description: "A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies." + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "mountPath", + "role", + ] + type: "object" + } + ldap: { + description: "Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method" + properties: { + path: { + default: "ldap" + description: "Path where the LDAP authentication backend is mounted in Vault, e.g: \"ldap\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a LDAP user name used to authenticate using the LDAP Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + tokenSecretRef: { + description: "TokenSecretRef authenticates with Vault by presenting a token." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + userPass: { + description: "UserPass authenticates with Vault by passing username/password pair" + properties: { + path: { + default: "user" + description: "Path where the UserPassword authentication backend is mounted in Vault, e.g: \"user\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a user name used to authenticate using the UserPass Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Vault server certificate." + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + forwardInconsistent: { + description: "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header" + type: "boolean" + } + namespace: { + description: "Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces" + type: "string" + } + path: { + description: "Path is the mount path of the Vault KV backend endpoint, e.g: \"secret\". The v2 KV secret engine version specific \"/data\" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path." + type: "string" + } + readYourWrites: { + description: "ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency" + type: "boolean" + } + server: { + description: "Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\"." + type: "string" + } + version: { + default: "v2" + description: "Version is the Vault KV secret engine version. This can be either \"v1\" or \"v2\". Version defaults to \"v2\"." + enum: [ + "v1", + "v2", + ] + type: "string" + } + } + required: [ + "auth", + "server", + ] + type: "object" + } + webhook: { + description: "Webhook configures this store to sync secrets using a generic templated webhook" + properties: { + body: { + description: "Body" + type: "string" + } + caBundle: { + description: "PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate webhook server certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + headers: { + additionalProperties: type: "string" + description: "Headers" + type: "object" + } + method: { + description: "Webhook Method" + type: "string" + } + result: { + description: "Result formatting" + properties: jsonPath: { + description: "Json path of return value" + type: "string" + } + type: "object" + } + secrets: { + description: "Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name" + items: { + properties: { + name: { + description: "Name of this secret in templates" + type: "string" + } + secretRef: { + description: "Secret ref to fill in credentials" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "name", + "secretRef", + ] + type: "object" + } + type: "array" + } + timeout: { + description: "Timeout" + type: "string" + } + url: { + description: "Webhook url to call" + type: "string" + } + } + required: [ + "result", + "url", + ] + type: "object" + } + yandexcertificatemanager: { + description: "YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider" + properties: { + apiEndpoint: { + description: "Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')" + type: "string" + } + auth: { + description: "Auth defines the information necessary to authenticate against Yandex Certificate Manager" + properties: authorizedKeySecretRef: { + description: "The authorized key used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Yandex.Cloud server certificate." + properties: certSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + yandexlockbox: { + description: "YandexLockbox configures this store to sync secrets using Yandex Lockbox provider" + properties: { + apiEndpoint: { + description: "Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')" + type: "string" + } + auth: { + description: "Auth defines the information necessary to authenticate against Yandex Lockbox" + properties: authorizedKeySecretRef: { + description: "The authorized key used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Yandex.Cloud server certificate." + properties: certSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + } + type: "object" + } + refreshInterval: { + description: "Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config." + type: "integer" + } + retrySettings: { + description: "Used to configure http retries if failed" + properties: { + maxRetries: { + format: "int32" + type: "integer" + } + retryInterval: type: "string" + } + type: "object" + } + } + required: ["provider"] + type: "object" + } + status: { + description: "SecretStoreStatus defines the observed state of the SecretStore." + properties: { + capabilities: { + description: "SecretStoreCapabilities defines the possible operations a SecretStore can do." + type: "string" + } + conditions: { + items: { + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + metadata: name: "vaultdynamicsecrets.generators.external-secrets.io" + spec: { + group: "generators.external-secrets.io" + names: { + categories: ["vaultdynamicsecret"] + kind: "VaultDynamicSecret" + listKind: "VaultDynamicSecretList" + plural: "vaultdynamicsecrets" + shortNames: ["vaultdynamicsecret"] + singular: "vaultdynamicsecret" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + name: "v1alpha1" + schema: openAPIV3Schema: { + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + properties: { + controller: { + description: "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property" + type: "string" + } + method: { + description: "Vault API method to use (GET/POST/other)" + type: "string" + } + parameters: { + description: "Parameters to pass to Vault write (for non-GET methods)" + "x-kubernetes-preserve-unknown-fields": true + } + path: { + description: "Vault path to obtain the dynamic secret from" + type: "string" + } + provider: { + description: "Vault provider common spec" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Vault server." + properties: { + appRole: { + description: "AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource." + properties: { + path: { + default: "approle" + description: "Path where the App Role authentication backend is mounted in Vault, e.g: \"approle\"" + type: "string" + } + roleId: { + description: "RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault." + type: "string" + } + roleRef: { + description: "Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "path", + "secretRef", + ] + type: "object" + } + cert: { + description: "Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method" + properties: { + clientCert: { + description: "ClientCert is a certificate to authenticate using the Cert Vault authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + iam: { + description: "Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method" + properties: { + externalID: { + description: "AWS External ID set on assumed IAM roles" + type: "string" + } + jwt: { + description: "Specify a service account with IRSA enabled" + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + path: { + description: "Path where the AWS auth method is enabled in Vault, e.g: \"aws\"" + type: "string" + } + region: { + description: "AWS region" + type: "string" + } + role: { + description: "This is the AWS role to be assumed before talking to vault" + type: "string" + } + secretRef: { + description: "Specify credentials in a Secret object" + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + sessionTokenSecretRef: { + description: "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + vaultAwsIamServerID: { + description: "X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws" + type: "string" + } + vaultRole: { + description: "Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine" + type: "string" + } + } + required: ["vaultRole"] + type: "object" + } + jwt: { + description: "Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method" + properties: { + kubernetesServiceAccountToken: { + description: "Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API." + properties: { + audiences: { + description: "Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead" + items: type: "string" + type: "array" + } + expirationSeconds: { + description: "Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes." + format: "int64" + type: "integer" + } + serviceAccountRef: { + description: "Service account field containing the name of a kubernetes ServiceAccount." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: ["serviceAccountRef"] + type: "object" + } + path: { + default: "jwt" + description: "Path where the JWT authentication backend is mounted in Vault, e.g: \"jwt\"" + type: "string" + } + role: { + description: "Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method" + type: "string" + } + secretRef: { + description: "Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: ["path"] + type: "object" + } + kubernetes: { + description: "Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server." + properties: { + mountPath: { + default: "kubernetes" + description: "Path where the Kubernetes authentication backend is mounted in Vault, e.g: \"kubernetes\"" + type: "string" + } + role: { + description: "A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies." + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "mountPath", + "role", + ] + type: "object" + } + ldap: { + description: "Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method" + properties: { + path: { + default: "ldap" + description: "Path where the LDAP authentication backend is mounted in Vault, e.g: \"ldap\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a LDAP user name used to authenticate using the LDAP Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + tokenSecretRef: { + description: "TokenSecretRef authenticates with Vault by presenting a token." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + userPass: { + description: "UserPass authenticates with Vault by passing username/password pair" + properties: { + path: { + default: "user" + description: "Path where the UserPassword authentication backend is mounted in Vault, e.g: \"user\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a user name used to authenticate using the UserPass Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Vault server certificate." + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + forwardInconsistent: { + description: "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header" + type: "boolean" + } + namespace: { + description: "Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces" + type: "string" + } + path: { + description: "Path is the mount path of the Vault KV backend endpoint, e.g: \"secret\". The v2 KV secret engine version specific \"/data\" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path." + type: "string" + } + readYourWrites: { + description: "ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency" + type: "boolean" + } + server: { + description: "Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\"." + type: "string" + } + version: { + default: "v2" + description: "Version is the Vault KV secret engine version. This can be either \"v1\" or \"v2\". Version defaults to \"v2\"." + enum: [ + "v1", + "v2", + ] + type: "string" + } + } + required: [ + "auth", + "server", + ] + type: "object" + } + resultType: { + default: "Data" + description: "Result type defines which data is returned from the generator. By default it is the \"data\" section of the Vault API response. When using e.g. /auth/token/create the \"data\" section is empty but the \"auth\" section contains the generated token. Please refer to the vault docs regarding the result data structure." + type: "string" + } + } + required: [ + "path", + "provider", + ] + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}] diff --git a/k8s/amour/onepassword_operator/deployment_list.cue b/k8s/amour/external_secrets/deployment_list.cue similarity index 51% rename from k8s/amour/onepassword_operator/deployment_list.cue rename to k8s/amour/external_secrets/deployment_list.cue index b720e19da..b72be9371 100644 --- a/k8s/amour/onepassword_operator/deployment_list.cue +++ b/k8s/amour/external_secrets/deployment_list.cue @@ -1,4 +1,4 @@ -package onepassword_operator +package external_secrets import ( appsv1 "k8s.io/api/apps/v1" @@ -21,33 +21,12 @@ import ( metadata: labels: "app.kubernetes.io/name": #Name spec: { containers: [{ - name: "onepassword-operator" - image: "1password/onepassword-operator:1.8.0@sha256:7ff622466ae375b5a35308b7cd96a9e26d14511666c540468c94e8e97102e7dd" - env: [{ - name: "POD_NAME" - valueFrom: fieldRef: fieldPath: "metadata.name" - }, { - name: "OPERATOR_NAME" - value: "onepassword-operator" - }, { - name: "OP_CONNECT_HOST" - value: "http://onepassword-connect.onepassword-connect:8080" - }, { - name: "POLLING_INTERVAL" - value: "600" - }, { - name: "OP_CONNECT_TOKEN" - valueFrom: secretKeyRef: { - name: "onepassword-connect-token" - key: "token" - } - }, { - name: "AUTO_RESTART" - value: "false" - }] + name: "external-secrets" + image: "ghcr.io/external-secrets/external-secrets:v0.9.5" + args: ["--concurrent=1"] ports: [{ - name: "https" - containerPort: 443 + name: "http-metrics" + containerPort: 8080 }] imagePullPolicy: v1.#PullIfNotPresent securityContext: { @@ -56,7 +35,6 @@ import ( allowPrivilegeEscalation: false } }] - nodeSelector: (v1.#LabelOSStable): v1.#Linux serviceAccountName: #Name securityContext: { runAsUser: 1000 diff --git a/k8s/amour/external_secrets/external-secrets.cue b/k8s/amour/external_secrets/external-secrets.cue new file mode 100644 index 000000000..ee7282fd3 --- /dev/null +++ b/k8s/amour/external_secrets/external-secrets.cue @@ -0,0 +1,10968 @@ +serviceaccount: [{ + // Source: external-secrets/templates/serviceaccount.yaml + apiVersion: "v1" + kind: "ServiceAccount" + metadata: { + name: "external-secrets" + namespace: "external-secrets" + labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + } + } +}, { + // Source: external-secrets/templates/webhook-serviceaccount.yaml + apiVersion: "v1" + kind: "ServiceAccount" + metadata: { + name: "external-secrets-webhook" + namespace: "external-secrets" + labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets-webhook" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + } + } +}] +customresourcedefinition: [{ + // Source: external-secrets/templates/crds/acraccesstoken.yaml + apiVersion: "apiextensions.k8s.io/v1" + kind: "CustomResourceDefinition" + metadata: { + annotations: { + "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + "controller-gen.kubebuilder.io/version": "v0.13.0" + } + name: "acraccesstokens.generators.external-secrets.io" + } + spec: { + group: "generators.external-secrets.io" + names: { + categories: [ + "acraccesstoken", + ] + kind: "ACRAccessToken" + listKind: "ACRAccessTokenList" + plural: "acraccesstokens" + shortNames: [ + "acraccesstoken", + ] + singular: "acraccesstoken" + } + scope: "Namespaced" + versions: [{ + name: "v1alpha1" + schema: openAPIV3Schema: { + description: """ + ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md + """ + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview" + properties: { + auth: { + properties: { + managedIdentity: { + description: "ManagedIdentity uses Azure Managed Identity to authenticate with Azure." + properties: identityId: { + description: "If multiple Managed Identity is assigned to the pod, you can select the one to be used" + type: "string" + } + type: "object" + } + servicePrincipal: { + description: "ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure." + properties: secretRef: { + description: "Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret." + properties: { + clientId: { + description: "The Azure clientId of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "The Azure ClientSecret of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + required: [ + "secretRef", + ] + type: "object" + } + workloadIdentity: { + description: "WorkloadIdentity uses Azure Workload Identity to authenticate with Azure." + properties: serviceAccountRef: { + description: "ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: [ + "name", + ] + type: "object" + } + type: "object" + } + } + type: "object" + } + environmentType: { + default: "PublicCloud" + description: "EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud" + enum: [ + "PublicCloud", + "USGovernmentCloud", + "ChinaCloud", + "GermanCloud", + ] + type: "string" + } + registry: { + description: "the domain name of the ACR registry e.g. foobarexample.azurecr.io" + type: "string" + } + scope: { + description: """ + Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. + examples: repository:my-repository:pull,push repository:my-repository:pull + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ + """ + type: "string" + } + tenantId: { + description: "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type." + type: "string" + } + } + required: [ + "auth", + "registry", + ] + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: [ + "v1", + ] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + // Source: external-secrets/templates/crds/clusterexternalsecret.yaml + apiVersion: "apiextensions.k8s.io/v1" + kind: "CustomResourceDefinition" + metadata: { + annotations: { + "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + "controller-gen.kubebuilder.io/version": "v0.13.0" + } + name: "clusterexternalsecrets.external-secrets.io" + } + spec: { + group: "external-secrets.io" + names: { + categories: [ + "externalsecrets", + ] + kind: "ClusterExternalSecret" + listKind: "ClusterExternalSecretList" + plural: "clusterexternalsecrets" + shortNames: [ + "ces", + ] + singular: "clusterexternalsecret" + } + scope: "Cluster" + versions: [{ + additionalPrinterColumns: [{ + jsonPath: ".spec.externalSecretSpec.secretStoreRef.name" + name: "Store" + type: "string" + }, { + jsonPath: ".spec.refreshTime" + name: "Refresh Interval" + type: "string" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + name: "Ready" + type: "string" + }] + name: "v1beta1" + schema: openAPIV3Schema: { + description: "ClusterExternalSecret is the Schema for the clusterexternalsecrets API." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret." + properties: { + externalSecretMetadata: { + description: "The metadata of the external secrets to be created" + properties: { + annotations: { + additionalProperties: type: "string" + type: "object" + } + labels: { + additionalProperties: type: "string" + type: "object" + } + } + type: "object" + } + externalSecretName: { + description: "The name of the external secrets to be created defaults to the name of the ClusterExternalSecret" + type: "string" + } + externalSecretSpec: { + description: "The spec for the ExternalSecrets to be created" + properties: { + data: { + description: "Data defines the connection between the Kubernetes Secret keys and the Provider data" + items: { + description: "ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data." + properties: { + remoteRef: { + description: "RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + decodingStrategy: { + default: "None" + description: "Used to define a decoding Strategy" + type: "string" + } + key: { + description: "Key is the key used in the Provider, mandatory" + type: "string" + } + metadataPolicy: { + description: "Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None" + type: "string" + } + property: { + description: "Used to select a specific property of the Provider value (if a map), if supported" + type: "string" + } + version: { + description: "Used to select a specific version of the Provider value, if supported" + type: "string" + } + } + required: [ + "key", + ] + type: "object" + } + secretKey: { + description: "SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret" + type: "string" + } + sourceRef: { + description: "SourceRef allows you to override the source from which the value will pulled from." + maxProperties: 1 + properties: { + generatorRef: { + description: "GeneratorRef points to a generator custom resource in" + properties: { + apiVersion: { + default: "generators.external-secrets.io/v1alpha1" + description: "Specify the apiVersion of the generator resource" + type: "string" + } + kind: { + description: "Specify the Kind of the resource, e.g. Password, ACRAccessToken etc." + type: "string" + } + name: { + description: "Specify the name of the generator resource" + type: "string" + } + } + required: [ + "kind", + "name", + ] + type: "object" + } + storeRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: [ + "name", + ] + type: "object" + } + } + type: "object" + } + } + required: [ + "remoteRef", + "secretKey", + ] + type: "object" + } + type: "array" + } + dataFrom: { + description: "DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order" + items: { + properties: { + extract: { + description: "Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + decodingStrategy: { + default: "None" + description: "Used to define a decoding Strategy" + type: "string" + } + key: { + description: "Key is the key used in the Provider, mandatory" + type: "string" + } + metadataPolicy: { + description: "Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None" + type: "string" + } + property: { + description: "Used to select a specific property of the Provider value (if a map), if supported" + type: "string" + } + version: { + description: "Used to select a specific version of the Provider value, if supported" + type: "string" + } + } + required: [ + "key", + ] + type: "object" + } + find: { + description: "Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + decodingStrategy: { + default: "None" + description: "Used to define a decoding Strategy" + type: "string" + } + name: { + description: "Finds secrets based on the name." + properties: regexp: { + description: "Finds secrets base" + type: "string" + } + type: "object" + } + path: { + description: "A root path to start the find operations." + type: "string" + } + tags: { + additionalProperties: type: "string" + description: "Find secrets based on tags." + type: "object" + } + } + type: "object" + } + rewrite: { + description: "Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)" + items: { + properties: regexp: { + description: "Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation." + properties: { + source: { + description: "Used to define the regular expression of a re.Compiler." + type: "string" + } + target: { + description: "Used to define the target pattern of a ReplaceAll operation." + type: "string" + } + } + required: [ + "source", + "target", + ] + type: "object" + } + type: "object" + } + type: "array" + } + sourceRef: { + description: "SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values" + maxProperties: 1 + properties: { + generatorRef: { + description: "GeneratorRef points to a generator custom resource in" + properties: { + apiVersion: { + default: "generators.external-secrets.io/v1alpha1" + description: "Specify the apiVersion of the generator resource" + type: "string" + } + kind: { + description: "Specify the Kind of the resource, e.g. Password, ACRAccessToken etc." + type: "string" + } + name: { + description: "Specify the name of the generator resource" + type: "string" + } + } + required: [ + "kind", + "name", + ] + type: "object" + } + storeRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: [ + "name", + ] + type: "object" + } + } + type: "object" + } + } + type: "object" + } + type: "array" + } + refreshInterval: { + default: "1h" + description: "RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\" May be set to zero to fetch and create it once. Defaults to 1h." + type: "string" + } + secretStoreRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: ["name"] + type: "object" + } + target: { + default: { + creationPolicy: "Owner" + deletionPolicy: "Retain" + } + description: "ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret." + properties: { + creationPolicy: { + default: "Owner" + description: "CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'" + enum: [ + "Owner", + "Orphan", + "Merge", + "None", + ] + type: "string" + } + deletionPolicy: { + default: "Retain" + description: "DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'" + enum: [ + "Delete", + "Merge", + "Retain", + ] + type: "string" + } + immutable: { + description: "Immutable defines if the final secret will be immutable" + type: "boolean" + } + name: { + description: "Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource" + type: "string" + } + template: { + description: "Template defines a blueprint for the created Secret resource." + properties: { + data: { + additionalProperties: type: "string" + type: "object" + } + engineVersion: { + default: "v2" + type: "string" + } + mergePolicy: { + default: "Replace" + type: "string" + } + metadata: { + description: "ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint." + properties: { + annotations: { + additionalProperties: type: "string" + type: "object" + } + labels: { + additionalProperties: type: "string" + type: "object" + } + } + type: "object" + } + templateFrom: { + items: { + properties: { + configMap: { + properties: { + items: { + items: { + properties: { + key: type: "string" + templateAs: { + default: "Values" + type: "string" + } + } + required: ["key"] + type: "object" + } + type: "array" + } + name: type: "string" + } + required: [ + "items", + "name", + ] + type: "object" + } + literal: type: "string" + secret: { + properties: { + items: { + items: { + properties: { + key: type: "string" + templateAs: { + default: "Values" + type: "string" + } + } + required: ["key"] + type: "object" + } + type: "array" + } + name: type: "string" + } + required: [ + "items", + "name", + ] + type: "object" + } + target: { + default: "Data" + type: "string" + } + } + type: "object" + } + type: "array" + } + type: type: "string" + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + namespaceSelector: { + description: "The labels to select by to find the Namespaces to create the ExternalSecrets in." + properties: { + matchExpressions: { + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: { + description: "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values." + properties: { + key: { + description: "key is the label key that the selector applies to." + type: "string" + } + operator: { + description: "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + } + values: { + description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch." + items: type: "string" + type: "array" + } + } + required: [ + "key", + "operator", + ] + type: "object" + } + type: "array" + } + matchLabels: { + additionalProperties: type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + } + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + refreshTime: { + description: "The time in which the controller should reconcile it's objects and recheck namespaces for labels." + type: "string" + } + } + required: [ + "externalSecretSpec", + "namespaceSelector", + ] + type: "object" + } + status: { + description: "ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret." + properties: { + conditions: { + items: { + properties: { + message: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + externalSecretName: { + description: "ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret" + type: "string" + } + failedNamespaces: { + description: "Failed namespaces are the namespaces that failed to apply an ExternalSecret" + items: { + description: "ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason." + properties: { + namespace: { + description: "Namespace is the namespace that failed when trying to apply an ExternalSecret" + type: "string" + } + reason: { + description: "Reason is why the ExternalSecret failed to apply to the namespace" + type: "string" + } + } + required: ["namespace"] + type: "object" + } + type: "array" + } + provisionedNamespaces: { + description: "ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets" + items: type: "string" + type: "array" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + // Source: external-secrets/templates/crds/clustersecretstore.yaml + apiVersion: "apiextensions.k8s.io/v1" + kind: "CustomResourceDefinition" + metadata: { + annotations: { + "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + "controller-gen.kubebuilder.io/version": "v0.13.0" + } + name: "clustersecretstores.external-secrets.io" + } + spec: { + group: "external-secrets.io" + names: { + categories: ["externalsecrets"] + kind: "ClusterSecretStore" + listKind: "ClusterSecretStoreList" + plural: "clustersecretstores" + shortNames: ["css"] + singular: "clustersecretstore" + } + scope: "Cluster" + versions: [{ + additionalPrinterColumns: [{ + jsonPath: ".metadata.creationTimestamp" + name: "AGE" + type: "date" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }] + deprecated: true + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "SecretStoreSpec defines the desired state of SecretStore." + properties: { + controller: { + description: "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property" + type: "string" + } + provider: { + description: "Used to configure the provider. Only one provider may be set" + maxProperties: 1 + minProperties: 1 + properties: { + akeyless: { + description: "Akeyless configures this store to sync secrets using Akeyless Vault provider" + properties: { + akeylessGWApiURL: { + description: "Akeyless GW API Url from which the secrets to be fetched from." + type: "string" + } + authSecretRef: { + description: "Auth configures how the operator authenticates with Akeyless." + properties: { + kubernetesAuth: { + description: "Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource." + properties: { + accessID: { + description: "the Akeyless Kubernetes auth-method access-id" + type: "string" + } + k8sConfName: { + description: "Kubernetes-auth configuration name in Akeyless-Gateway" + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "accessID", + "k8sConfName", + ] + type: "object" + } + secretRef: { + description: "Reference to a Secret that contains the details to authenticate with Akeyless." + properties: { + accessID: { + description: "The SecretAccessID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessType: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessTypeParam: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Akeyless Gateway certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + } + required: [ + "akeylessGWApiURL", + "authSecretRef", + ] + type: "object" + } + alibaba: { + description: "Alibaba configures this store to sync secrets using Alibaba Cloud provider" + properties: { + auth: { + description: "AlibabaAuth contains a secretRef for credentials." + properties: { + rrsa: { + description: "Authenticate against Alibaba using RRSA." + properties: { + oidcProviderArn: type: "string" + oidcTokenFilePath: type: "string" + roleArn: type: "string" + sessionName: type: "string" + } + required: [ + "oidcProviderArn", + "oidcTokenFilePath", + "roleArn", + "sessionName", + ] + type: "object" + } + secretRef: { + description: "AlibabaAuthSecretRef holds secret references for Alibaba credentials." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessKeySecretSecretRef: { + description: "The AccessKeySecret is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "accessKeyIDSecretRef", + "accessKeySecretSecretRef", + ] + type: "object" + } + } + type: "object" + } + regionID: { + description: "Alibaba Region to be used for the provider" + type: "string" + } + } + required: [ + "auth", + "regionID", + ] + type: "object" + } + aws: { + description: "AWS configures this store to sync secrets using AWS Secret Manager provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" + properties: { + jwt: { + description: "Authenticate against AWS using service account tokens." + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + secretRef: { + description: "AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + region: { + description: "AWS Region to be used for the provider" + type: "string" + } + role: { + description: "Role is a Role ARN which the SecretManager provider will assume" + type: "string" + } + service: { + description: "Service defines which service should be used to fetch the secrets" + enum: [ + "SecretsManager", + "ParameterStore", + ] + type: "string" + } + } + required: [ + "region", + "service", + ] + type: "object" + } + azurekv: { + description: "AzureKV configures this store to sync secrets using Azure Key Vault provider" + properties: { + authSecretRef: { + description: "Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type." + properties: { + clientId: { + description: "The Azure clientId of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "The Azure ClientSecret of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + authType: { + default: "ServicePrincipal" + description: "Auth type defines how to authenticate to the keyvault service. Valid values are: - \"ServicePrincipal\" (default): Using a service principal (tenantId, clientId, clientSecret) - \"ManagedIdentity\": Using Managed Identity assigned to the pod (see aad-pod-identity)" + enum: [ + "ServicePrincipal", + "ManagedIdentity", + "WorkloadIdentity", + ] + type: "string" + } + identityId: { + description: "If multiple Managed Identity is assigned to the pod, you can select the one to be used" + type: "string" + } + serviceAccountRef: { + description: "ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + tenantId: { + description: "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type." + type: "string" + } + vaultUrl: { + description: "Vault Url from which the secrets to be fetched from." + type: "string" + } + } + required: ["vaultUrl"] + type: "object" + } + fake: { + description: "Fake configures a store with static key/value pairs" + properties: data: { + items: { + properties: { + key: type: "string" + value: type: "string" + valueMap: { + additionalProperties: type: "string" + type: "object" + } + version: type: "string" + } + required: ["key"] + type: "object" + } + type: "array" + } + required: ["data"] + type: "object" + } + gcpsm: { + description: "GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against GCP" + properties: { + secretRef: { + properties: secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + workloadIdentity: { + properties: { + clusterLocation: type: "string" + clusterName: type: "string" + clusterProjectID: type: "string" + serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "clusterLocation", + "clusterName", + "serviceAccountRef", + ] + type: "object" + } + } + type: "object" + } + projectID: { + description: "ProjectID project where secret is located" + type: "string" + } + } + type: "object" + } + gitlab: { + description: "GitLab configures this store to sync secrets using GitLab Variables provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a GitLab instance." + properties: SecretRef: { + properties: accessToken: { + description: "AccessToken is used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + required: ["SecretRef"] + type: "object" + } + projectID: { + description: "ProjectID specifies a project where secrets are located." + type: "string" + } + url: { + description: "URL configures the GitLab instance URL. Defaults to https://gitlab.com/." + type: "string" + } + } + required: ["auth"] + type: "object" + } + ibm: { + description: "IBM configures this store to sync secrets using IBM Cloud provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the IBM secrets manager." + properties: secretRef: { + properties: secretApiKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + required: ["secretRef"] + type: "object" + } + serviceUrl: { + description: "ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance" + type: "string" + } + } + required: ["auth"] + type: "object" + } + kubernetes: { + description: "Kubernetes configures this store to sync secrets using a Kubernetes cluster provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a Kubernetes instance." + maxProperties: 1 + minProperties: 1 + properties: { + cert: { + description: "has both clientCert and clientKey as secretKeySelector" + properties: { + clientCert: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientKey: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + serviceAccount: { + description: "points to a service account that should be used for authentication" + properties: serviceAccount: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + token: { + description: "use static token to authenticate with" + properties: bearerToken: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + type: "object" + } + remoteNamespace: { + default: "default" + description: "Remote namespace to fetch the secrets from" + type: "string" + } + server: { + description: "configures the Kubernetes server Address." + properties: { + caBundle: { + description: "CABundle is a base64-encoded CA certificate" + format: "byte" + type: "string" + } + caProvider: { + description: "see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider" + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + url: { + default: "kubernetes.default" + description: "configures the Kubernetes server Address." + type: "string" + } + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + oracle: { + description: "Oracle configures this store to sync secrets using Oracle Vault provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth." + properties: { + secretRef: { + description: "SecretRef to pass through sensitive information." + properties: { + fingerprint: { + description: "Fingerprint is the fingerprint of the API private key." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + privatekey: { + description: "PrivateKey is the user's API Signing Key in PEM format, used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "fingerprint", + "privatekey", + ] + type: "object" + } + tenancy: { + description: "Tenancy is the tenancy OCID where user is located." + type: "string" + } + user: { + description: "User is an access OCID specific to the account." + type: "string" + } + } + required: [ + "secretRef", + "tenancy", + "user", + ] + type: "object" + } + region: { + description: "Region is the region where vault is located." + type: "string" + } + vault: { + description: "Vault is the vault's OCID of the specific vault where secret is located." + type: "string" + } + } + required: [ + "region", + "vault", + ] + type: "object" + } + vault: { + description: "Vault configures this store to sync secrets using Hashi provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Vault server." + properties: { + appRole: { + description: "AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource." + properties: { + path: { + default: "approle" + description: "Path where the App Role authentication backend is mounted in Vault, e.g: \"approle\"" + type: "string" + } + roleId: { + description: "RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault." + type: "string" + } + secretRef: { + description: "Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "path", + "roleId", + "secretRef", + ] + type: "object" + } + cert: { + description: "Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method" + properties: { + clientCert: { + description: "ClientCert is a certificate to authenticate using the Cert Vault authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + jwt: { + description: "Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method" + properties: { + kubernetesServiceAccountToken: { + description: "Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API." + properties: { + audiences: { + description: "Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified." + items: type: "string" + type: "array" + } + expirationSeconds: { + description: "Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes." + format: "int64" + type: "integer" + } + serviceAccountRef: { + description: "Service account field containing the name of a kubernetes ServiceAccount." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: ["serviceAccountRef"] + type: "object" + } + path: { + default: "jwt" + description: "Path where the JWT authentication backend is mounted in Vault, e.g: \"jwt\"" + type: "string" + } + role: { + description: "Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method" + type: "string" + } + secretRef: { + description: "Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: ["path"] + type: "object" + } + kubernetes: { + description: "Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server." + properties: { + mountPath: { + default: "kubernetes" + description: "Path where the Kubernetes authentication backend is mounted in Vault, e.g: \"kubernetes\"" + type: "string" + } + role: { + description: "A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies." + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "mountPath", + "role", + ] + type: "object" + } + ldap: { + description: "Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method" + properties: { + path: { + default: "ldap" + description: "Path where the LDAP authentication backend is mounted in Vault, e.g: \"ldap\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a LDAP user name used to authenticate using the LDAP Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + tokenSecretRef: { + description: "TokenSecretRef authenticates with Vault by presenting a token." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Vault server certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + forwardInconsistent: { + description: "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header" + type: "boolean" + } + namespace: { + description: "Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces" + type: "string" + } + path: { + description: "Path is the mount path of the Vault KV backend endpoint, e.g: \"secret\". The v2 KV secret engine version specific \"/data\" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path." + type: "string" + } + readYourWrites: { + description: "ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency" + type: "boolean" + } + server: { + description: "Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\"." + type: "string" + } + version: { + default: "v2" + description: "Version is the Vault KV secret engine version. This can be either \"v1\" or \"v2\". Version defaults to \"v2\"." + enum: [ + "v1", + "v2", + ] + type: "string" + } + } + required: [ + "auth", + "server", + ] + type: "object" + } + webhook: { + description: "Webhook configures this store to sync secrets using a generic templated webhook" + properties: { + body: { + description: "Body" + type: "string" + } + caBundle: { + description: "PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate webhook server certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + headers: { + additionalProperties: type: "string" + description: "Headers" + type: "object" + } + method: { + description: "Webhook Method" + type: "string" + } + result: { + description: "Result formatting" + properties: jsonPath: { + description: "Json path of return value" + type: "string" + } + type: "object" + } + secrets: { + description: "Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name" + items: { + properties: { + name: { + description: "Name of this secret in templates" + type: "string" + } + secretRef: { + description: "Secret ref to fill in credentials" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "name", + "secretRef", + ] + type: "object" + } + type: "array" + } + timeout: { + description: "Timeout" + type: "string" + } + url: { + description: "Webhook url to call" + type: "string" + } + } + required: [ + "result", + "url", + ] + type: "object" + } + yandexlockbox: { + description: "YandexLockbox configures this store to sync secrets using Yandex Lockbox provider" + properties: { + apiEndpoint: { + description: "Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')" + type: "string" + } + auth: { + description: "Auth defines the information necessary to authenticate against Yandex Lockbox" + properties: authorizedKeySecretRef: { + description: "The authorized key used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Yandex.Cloud server certificate." + properties: certSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + } + type: "object" + } + retrySettings: { + description: "Used to configure http retries if failed" + properties: { + maxRetries: { + format: "int32" + type: "integer" + } + retryInterval: type: "string" + } + type: "object" + } + } + required: ["provider"] + type: "object" + } + status: { + description: "SecretStoreStatus defines the observed state of the SecretStore." + properties: conditions: { + items: { + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + type: "object" + } + } + type: "object" + } + served: true + storage: false + subresources: status: {} + }, { + additionalPrinterColumns: [{ + jsonPath: ".metadata.creationTimestamp" + name: "AGE" + type: "date" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }, { + jsonPath: ".status.capabilities" + name: "Capabilities" + type: "string" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + name: "Ready" + type: "string" + }] + name: "v1beta1" + schema: openAPIV3Schema: { + description: "ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "SecretStoreSpec defines the desired state of SecretStore." + properties: { + conditions: { + description: "Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore" + items: { + description: "ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance." + properties: { + namespaceSelector: { + description: "Choose namespace using a labelSelector" + properties: { + matchExpressions: { + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: { + description: "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values." + properties: { + key: { + description: "key is the label key that the selector applies to." + type: "string" + } + operator: { + description: "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + } + values: { + description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch." + items: type: "string" + type: "array" + } + } + required: [ + "key", + "operator", + ] + type: "object" + } + type: "array" + } + matchLabels: { + additionalProperties: type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + } + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + namespaces: { + description: "Choose namespaces by name" + items: type: "string" + type: "array" + } + } + type: "object" + } + type: "array" + } + controller: { + description: "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property" + type: "string" + } + provider: { + description: "Used to configure the provider. Only one provider may be set" + maxProperties: 1 + minProperties: 1 + properties: { + akeyless: { + description: "Akeyless configures this store to sync secrets using Akeyless Vault provider" + properties: { + akeylessGWApiURL: { + description: "Akeyless GW API Url from which the secrets to be fetched from." + type: "string" + } + authSecretRef: { + description: "Auth configures how the operator authenticates with Akeyless." + properties: { + kubernetesAuth: { + description: "Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource." + properties: { + accessID: { + description: "the Akeyless Kubernetes auth-method access-id" + type: "string" + } + k8sConfName: { + description: "Kubernetes-auth configuration name in Akeyless-Gateway" + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "accessID", + "k8sConfName", + ] + type: "object" + } + secretRef: { + description: "Reference to a Secret that contains the details to authenticate with Akeyless." + properties: { + accessID: { + description: "The SecretAccessID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessType: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessTypeParam: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Akeyless Gateway certificate." + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + } + required: [ + "akeylessGWApiURL", + "authSecretRef", + ] + type: "object" + } + alibaba: { + description: "Alibaba configures this store to sync secrets using Alibaba Cloud provider" + properties: { + auth: { + description: "AlibabaAuth contains a secretRef for credentials." + properties: { + rrsa: { + description: "Authenticate against Alibaba using RRSA." + properties: { + oidcProviderArn: type: "string" + oidcTokenFilePath: type: "string" + roleArn: type: "string" + sessionName: type: "string" + } + required: [ + "oidcProviderArn", + "oidcTokenFilePath", + "roleArn", + "sessionName", + ] + type: "object" + } + secretRef: { + description: "AlibabaAuthSecretRef holds secret references for Alibaba credentials." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessKeySecretSecretRef: { + description: "The AccessKeySecret is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "accessKeyIDSecretRef", + "accessKeySecretSecretRef", + ] + type: "object" + } + } + type: "object" + } + regionID: { + description: "Alibaba Region to be used for the provider" + type: "string" + } + } + required: [ + "auth", + "regionID", + ] + type: "object" + } + aws: { + description: "AWS configures this store to sync secrets using AWS Secret Manager provider" + properties: { + additionalRoles: { + description: "AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role" + items: type: "string" + type: "array" + } + auth: { + description: "Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" + properties: { + jwt: { + description: "Authenticate against AWS using service account tokens." + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + secretRef: { + description: "AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + sessionTokenSecretRef: { + description: "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + externalID: { + description: "AWS External ID set on assumed IAM roles" + type: "string" + } + region: { + description: "AWS Region to be used for the provider" + type: "string" + } + role: { + description: "Role is a Role ARN which the SecretManager provider will assume" + type: "string" + } + service: { + description: "Service defines which service should be used to fetch the secrets" + enum: [ + "SecretsManager", + "ParameterStore", + ] + type: "string" + } + sessionTags: { + description: "AWS STS assume role session tags" + items: { + properties: { + key: type: "string" + value: type: "string" + } + required: [ + "key", + "value", + ] + type: "object" + } + type: "array" + } + transitiveTagKeys: { + description: "AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore" + items: type: "string" + type: "array" + } + } + required: [ + "region", + "service", + ] + type: "object" + } + azurekv: { + description: "AzureKV configures this store to sync secrets using Azure Key Vault provider" + properties: { + authSecretRef: { + description: "Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type." + properties: { + clientId: { + description: "The Azure clientId of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "The Azure ClientSecret of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + authType: { + default: "ServicePrincipal" + description: "Auth type defines how to authenticate to the keyvault service. Valid values are: - \"ServicePrincipal\" (default): Using a service principal (tenantId, clientId, clientSecret) - \"ManagedIdentity\": Using Managed Identity assigned to the pod (see aad-pod-identity)" + enum: [ + "ServicePrincipal", + "ManagedIdentity", + "WorkloadIdentity", + ] + type: "string" + } + environmentType: { + default: "PublicCloud" + description: "EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud" + enum: [ + "PublicCloud", + "USGovernmentCloud", + "ChinaCloud", + "GermanCloud", + ] + type: "string" + } + identityId: { + description: "If multiple Managed Identity is assigned to the pod, you can select the one to be used" + type: "string" + } + serviceAccountRef: { + description: "ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + tenantId: { + description: "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type." + type: "string" + } + vaultUrl: { + description: "Vault Url from which the secrets to be fetched from." + type: "string" + } + } + required: ["vaultUrl"] + type: "object" + } + conjur: { + description: "Conjur configures this store to sync secrets using conjur provider" + properties: { + auth: { + properties: apikey: { + properties: { + account: type: "string" + apiKeyRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + userRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "account", + "apiKeyRef", + "userRef", + ] + type: "object" + } + required: ["apikey"] + type: "object" + } + caBundle: type: "string" + url: type: "string" + } + required: [ + "auth", + "url", + ] + type: "object" + } + delinea: { + description: "Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current" + properties: { + clientId: { + description: "ClientID is the non-secret part of the credential." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "ClientSecret is the secret part of the credential." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + tenant: { + description: "Tenant is the chosen hostname / site name." + type: "string" + } + tld: { + description: "TLD is based on the server location that was chosen during provisioning. If unset, defaults to \"com\"." + type: "string" + } + urlTemplate: { + description: "URLTemplate If unset, defaults to \"https://%s.secretsvaultcloud.%s/v1/%s%s\"." + type: "string" + } + } + required: [ + "clientId", + "clientSecret", + "tenant", + ] + type: "object" + } + doppler: { + description: "Doppler configures this store to sync secrets using the Doppler provider" + properties: { + auth: { + description: "Auth configures how the Operator authenticates with the Doppler API" + properties: secretRef: { + properties: dopplerToken: { + description: "The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + required: ["dopplerToken"] + type: "object" + } + required: ["secretRef"] + type: "object" + } + config: { + description: "Doppler config (required if not using a Service Token)" + type: "string" + } + format: { + description: "Format enables the downloading of secrets as a file (string)" + enum: [ + "json", + "dotnet-json", + "env", + "yaml", + "docker", + ] + type: "string" + } + nameTransformer: { + description: "Environment variable compatible name transforms that change secret names to a different format" + enum: [ + "upper-camel", + "camel", + "lower-snake", + "tf-var", + "dotnet-env", + "lower-kebab", + ] + type: "string" + } + project: { + description: "Doppler project (required if not using a Service Token)" + type: "string" + } + } + required: ["auth"] + type: "object" + } + fake: { + description: "Fake configures a store with static key/value pairs" + properties: data: { + items: { + properties: { + key: type: "string" + value: type: "string" + valueMap: { + additionalProperties: type: "string" + type: "object" + } + version: type: "string" + } + required: ["key"] + type: "object" + } + type: "array" + } + required: ["data"] + type: "object" + } + gcpsm: { + description: "GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against GCP" + properties: { + secretRef: { + properties: secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + workloadIdentity: { + properties: { + clusterLocation: type: "string" + clusterName: type: "string" + clusterProjectID: type: "string" + serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "clusterLocation", + "clusterName", + "serviceAccountRef", + ] + type: "object" + } + } + type: "object" + } + projectID: { + description: "ProjectID project where secret is located" + type: "string" + } + } + type: "object" + } + gitlab: { + description: "GitLab configures this store to sync secrets using GitLab Variables provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a GitLab instance." + properties: SecretRef: { + properties: accessToken: { + description: "AccessToken is used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + required: ["SecretRef"] + type: "object" + } + environment: { + description: "Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)" + type: "string" + } + groupIDs: { + description: "GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables." + items: type: "string" + type: "array" + } + inheritFromGroups: { + description: "InheritFromGroups specifies whether parent groups should be discovered and checked for secrets." + type: "boolean" + } + projectID: { + description: "ProjectID specifies a project where secrets are located." + type: "string" + } + url: { + description: "URL configures the GitLab instance URL. Defaults to https://gitlab.com/." + type: "string" + } + } + required: ["auth"] + type: "object" + } + ibm: { + description: "IBM configures this store to sync secrets using IBM Cloud provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the IBM secrets manager." + maxProperties: 1 + minProperties: 1 + properties: { + containerAuth: { + description: "IBM Container-based auth with IAM Trusted Profile." + properties: { + iamEndpoint: type: "string" + profile: { + description: "the IBM Trusted Profile" + type: "string" + } + tokenLocation: { + description: "Location the token is mounted on the pod" + type: "string" + } + } + required: ["profile"] + type: "object" + } + secretRef: { + properties: secretApiKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + type: "object" + } + serviceUrl: { + description: "ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance" + type: "string" + } + } + required: ["auth"] + type: "object" + } + keepersecurity: { + description: "KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider" + properties: { + authRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + folderID: type: "string" + } + required: [ + "authRef", + "folderID", + ] + type: "object" + } + kubernetes: { + description: "Kubernetes configures this store to sync secrets using a Kubernetes cluster provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a Kubernetes instance." + maxProperties: 1 + minProperties: 1 + properties: { + cert: { + description: "has both clientCert and clientKey as secretKeySelector" + properties: { + clientCert: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientKey: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + serviceAccount: { + description: "points to a service account that should be used for authentication" + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + token: { + description: "use static token to authenticate with" + properties: bearerToken: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + type: "object" + } + remoteNamespace: { + default: "default" + description: "Remote namespace to fetch the secrets from" + type: "string" + } + server: { + description: "configures the Kubernetes server Address." + properties: { + caBundle: { + description: "CABundle is a base64-encoded CA certificate" + format: "byte" + type: "string" + } + caProvider: { + description: "see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider" + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + url: { + default: "kubernetes.default" + description: "configures the Kubernetes server Address." + type: "string" + } + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + onepassword: { + description: "OnePassword configures this store to sync secrets using the 1Password Cloud provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against OnePassword Connect Server" + properties: secretRef: { + description: "OnePasswordAuthSecretRef holds secret references for 1Password credentials." + properties: connectTokenSecretRef: { + description: "The ConnectToken is used for authentication to a 1Password Connect Server." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + required: ["connectTokenSecretRef"] + type: "object" + } + required: ["secretRef"] + type: "object" + } + connectHost: { + description: "ConnectHost defines the OnePassword Connect Server to connect to" + type: "string" + } + vaults: { + additionalProperties: type: "integer" + description: "Vaults defines which OnePassword vaults to search in which order" + type: "object" + } + } + required: [ + "auth", + "connectHost", + "vaults", + ] + type: "object" + } + oracle: { + description: "Oracle configures this store to sync secrets using Oracle Vault provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth." + properties: { + secretRef: { + description: "SecretRef to pass through sensitive information." + properties: { + fingerprint: { + description: "Fingerprint is the fingerprint of the API private key." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + privatekey: { + description: "PrivateKey is the user's API Signing Key in PEM format, used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "fingerprint", + "privatekey", + ] + type: "object" + } + tenancy: { + description: "Tenancy is the tenancy OCID where user is located." + type: "string" + } + user: { + description: "User is an access OCID specific to the account." + type: "string" + } + } + required: [ + "secretRef", + "tenancy", + "user", + ] + type: "object" + } + region: { + description: "Region is the region where vault is located." + type: "string" + } + vault: { + description: "Vault is the vault's OCID of the specific vault where secret is located." + type: "string" + } + } + required: [ + "region", + "vault", + ] + type: "object" + } + scaleway: { + description: "Scaleway" + properties: { + accessKey: { + description: "AccessKey is the non-secret part of the api key." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + apiUrl: { + description: "APIURL is the url of the api to use. Defaults to https://api.scaleway.com" + type: "string" + } + projectId: { + description: "ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings" + type: "string" + } + region: { + description: "Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone" + type: "string" + } + secretKey: { + description: "SecretKey is the non-secret part of the api key." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + } + required: [ + "accessKey", + "projectId", + "region", + "secretKey", + ] + type: "object" + } + senhasegura: { + description: "Senhasegura configures this store to sync secrets using senhasegura provider" + properties: { + auth: { + description: "Auth defines parameters to authenticate in senhasegura" + properties: { + clientId: type: "string" + clientSecretSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "clientId", + "clientSecretSecretRef", + ] + type: "object" + } + ignoreSslCertificate: { + default: false + description: "IgnoreSslCertificate defines if SSL certificate must be ignored" + type: "boolean" + } + module: { + description: "Module defines which senhasegura module should be used to get secrets" + type: "string" + } + url: { + description: "URL of senhasegura" + type: "string" + } + } + required: [ + "auth", + "module", + "url", + ] + type: "object" + } + vault: { + description: "Vault configures this store to sync secrets using Hashi provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Vault server." + properties: { + appRole: { + description: "AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource." + properties: { + path: { + default: "approle" + description: "Path where the App Role authentication backend is mounted in Vault, e.g: \"approle\"" + type: "string" + } + roleId: { + description: "RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault." + type: "string" + } + roleRef: { + description: "Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "path", + "secretRef", + ] + type: "object" + } + cert: { + description: "Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method" + properties: { + clientCert: { + description: "ClientCert is a certificate to authenticate using the Cert Vault authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + iam: { + description: "Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method" + properties: { + externalID: { + description: "AWS External ID set on assumed IAM roles" + type: "string" + } + jwt: { + description: "Specify a service account with IRSA enabled" + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + path: { + description: "Path where the AWS auth method is enabled in Vault, e.g: \"aws\"" + type: "string" + } + region: { + description: "AWS region" + type: "string" + } + role: { + description: "This is the AWS role to be assumed before talking to vault" + type: "string" + } + secretRef: { + description: "Specify credentials in a Secret object" + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + sessionTokenSecretRef: { + description: "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + vaultAwsIamServerID: { + description: "X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws" + type: "string" + } + vaultRole: { + description: "Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine" + type: "string" + } + } + required: ["vaultRole"] + type: "object" + } + jwt: { + description: "Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method" + properties: { + kubernetesServiceAccountToken: { + description: "Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API." + properties: { + audiences: { + description: "Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead" + items: type: "string" + type: "array" + } + expirationSeconds: { + description: "Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes." + format: "int64" + type: "integer" + } + serviceAccountRef: { + description: "Service account field containing the name of a kubernetes ServiceAccount." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: ["serviceAccountRef"] + type: "object" + } + path: { + default: "jwt" + description: "Path where the JWT authentication backend is mounted in Vault, e.g: \"jwt\"" + type: "string" + } + role: { + description: "Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method" + type: "string" + } + secretRef: { + description: "Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: ["path"] + type: "object" + } + kubernetes: { + description: "Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server." + properties: { + mountPath: { + default: "kubernetes" + description: "Path where the Kubernetes authentication backend is mounted in Vault, e.g: \"kubernetes\"" + type: "string" + } + role: { + description: "A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies." + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "mountPath", + "role", + ] + type: "object" + } + ldap: { + description: "Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method" + properties: { + path: { + default: "ldap" + description: "Path where the LDAP authentication backend is mounted in Vault, e.g: \"ldap\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a LDAP user name used to authenticate using the LDAP Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + tokenSecretRef: { + description: "TokenSecretRef authenticates with Vault by presenting a token." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + userPass: { + description: "UserPass authenticates with Vault by passing username/password pair" + properties: { + path: { + default: "user" + description: "Path where the UserPassword authentication backend is mounted in Vault, e.g: \"user\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a user name used to authenticate using the UserPass Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Vault server certificate." + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + forwardInconsistent: { + description: "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header" + type: "boolean" + } + namespace: { + description: "Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces" + type: "string" + } + path: { + description: "Path is the mount path of the Vault KV backend endpoint, e.g: \"secret\". The v2 KV secret engine version specific \"/data\" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path." + type: "string" + } + readYourWrites: { + description: "ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency" + type: "boolean" + } + server: { + description: "Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\"." + type: "string" + } + version: { + default: "v2" + description: "Version is the Vault KV secret engine version. This can be either \"v1\" or \"v2\". Version defaults to \"v2\"." + enum: [ + "v1", + "v2", + ] + type: "string" + } + } + required: [ + "auth", + "server", + ] + type: "object" + } + webhook: { + description: "Webhook configures this store to sync secrets using a generic templated webhook" + properties: { + body: { + description: "Body" + type: "string" + } + caBundle: { + description: "PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate webhook server certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + headers: { + additionalProperties: type: "string" + description: "Headers" + type: "object" + } + method: { + description: "Webhook Method" + type: "string" + } + result: { + description: "Result formatting" + properties: jsonPath: { + description: "Json path of return value" + type: "string" + } + type: "object" + } + secrets: { + description: "Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name" + items: { + properties: { + name: { + description: "Name of this secret in templates" + type: "string" + } + secretRef: { + description: "Secret ref to fill in credentials" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "name", + "secretRef", + ] + type: "object" + } + type: "array" + } + timeout: { + description: "Timeout" + type: "string" + } + url: { + description: "Webhook url to call" + type: "string" + } + } + required: [ + "result", + "url", + ] + type: "object" + } + yandexcertificatemanager: { + description: "YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider" + properties: { + apiEndpoint: { + description: "Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')" + type: "string" + } + auth: { + description: "Auth defines the information necessary to authenticate against Yandex Certificate Manager" + properties: authorizedKeySecretRef: { + description: "The authorized key used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Yandex.Cloud server certificate." + properties: certSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + yandexlockbox: { + description: "YandexLockbox configures this store to sync secrets using Yandex Lockbox provider" + properties: { + apiEndpoint: { + description: "Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')" + type: "string" + } + auth: { + description: "Auth defines the information necessary to authenticate against Yandex Lockbox" + properties: authorizedKeySecretRef: { + description: "The authorized key used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Yandex.Cloud server certificate." + properties: certSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + } + type: "object" + } + refreshInterval: { + description: "Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config." + type: "integer" + } + retrySettings: { + description: "Used to configure http retries if failed" + properties: { + maxRetries: { + format: "int32" + type: "integer" + } + retryInterval: type: "string" + } + type: "object" + } + } + required: ["provider"] + type: "object" + } + status: { + description: "SecretStoreStatus defines the observed state of the SecretStore." + properties: { + capabilities: { + description: "SecretStoreCapabilities defines the possible operations a SecretStore can do." + type: "string" + } + conditions: { + items: { + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + // Source: external-secrets/templates/crds/ecrauthorizationtoken.yaml + apiVersion: "apiextensions.k8s.io/v1" + kind: "CustomResourceDefinition" + metadata: { + annotations: { + "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + "controller-gen.kubebuilder.io/version": "v0.13.0" + } + name: "ecrauthorizationtokens.generators.external-secrets.io" + } + spec: { + group: "generators.external-secrets.io" + names: { + categories: ["ecrauthorizationtoken"] + kind: "ECRAuthorizationToken" + listKind: "ECRAuthorizationTokenList" + plural: "ecrauthorizationtokens" + shortNames: ["ecrauthorizationtoken"] + singular: "ecrauthorizationtoken" + } + scope: "Namespaced" + versions: [{ + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + properties: { + auth: { + description: "Auth defines how to authenticate with AWS" + properties: { + jwt: { + description: "Authenticate against AWS using service account tokens." + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + secretRef: { + description: "AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + sessionTokenSecretRef: { + description: "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + region: { + description: "Region specifies the region to operate in." + type: "string" + } + role: { + description: "You can assume a role before making calls to the desired AWS service." + type: "string" + } + } + required: ["region"] + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + // Source: external-secrets/templates/crds/externalsecret.yaml + apiVersion: "apiextensions.k8s.io/v1" + kind: "CustomResourceDefinition" + metadata: { + annotations: { + "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + "controller-gen.kubebuilder.io/version": "v0.13.0" + } + name: "externalsecrets.external-secrets.io" + } + spec: { + group: "external-secrets.io" + names: { + categories: ["externalsecrets"] + kind: "ExternalSecret" + listKind: "ExternalSecretList" + plural: "externalsecrets" + shortNames: ["es"] + singular: "externalsecret" + } + scope: "Namespaced" + versions: [{ + additionalPrinterColumns: [{ + jsonPath: ".spec.secretStoreRef.name" + name: "Store" + type: "string" + }, { + jsonPath: ".spec.refreshInterval" + name: "Refresh Interval" + type: "string" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }] + deprecated: true + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "ExternalSecret is the Schema for the external-secrets API." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "ExternalSecretSpec defines the desired state of ExternalSecret." + properties: { + data: { + description: "Data defines the connection between the Kubernetes Secret keys and the Provider data" + items: { + description: "ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data." + properties: { + remoteRef: { + description: "ExternalSecretDataRemoteRef defines Provider data location." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + key: { + description: "Key is the key used in the Provider, mandatory" + type: "string" + } + property: { + description: "Used to select a specific property of the Provider value (if a map), if supported" + type: "string" + } + version: { + description: "Used to select a specific version of the Provider value, if supported" + type: "string" + } + } + required: ["key"] + type: "object" + } + secretKey: type: "string" + } + required: [ + "remoteRef", + "secretKey", + ] + type: "object" + } + type: "array" + } + dataFrom: { + description: "DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order" + items: { + description: "ExternalSecretDataRemoteRef defines Provider data location." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + key: { + description: "Key is the key used in the Provider, mandatory" + type: "string" + } + property: { + description: "Used to select a specific property of the Provider value (if a map), if supported" + type: "string" + } + version: { + description: "Used to select a specific version of the Provider value, if supported" + type: "string" + } + } + required: ["key"] + type: "object" + } + type: "array" + } + refreshInterval: { + default: "1h" + description: "RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\" May be set to zero to fetch and create it once. Defaults to 1h." + type: "string" + } + secretStoreRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: ["name"] + type: "object" + } + target: { + description: "ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret." + properties: { + creationPolicy: { + default: "Owner" + description: "CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'" + type: "string" + } + immutable: { + description: "Immutable defines if the final secret will be immutable" + type: "boolean" + } + name: { + description: "Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource" + type: "string" + } + template: { + description: "Template defines a blueprint for the created Secret resource." + properties: { + data: { + additionalProperties: type: "string" + type: "object" + } + engineVersion: { + default: "v1" + description: "EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]." + type: "string" + } + metadata: { + description: "ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint." + properties: { + annotations: { + additionalProperties: type: "string" + type: "object" + } + labels: { + additionalProperties: type: "string" + type: "object" + } + } + type: "object" + } + templateFrom: { + items: { + maxProperties: 1 + minProperties: 1 + properties: { + configMap: { + properties: { + items: { + items: { + properties: key: type: "string" + required: ["key"] + type: "object" + } + type: "array" + } + name: type: "string" + } + required: [ + "items", + "name", + ] + type: "object" + } + secret: { + properties: { + items: { + items: { + properties: key: type: "string" + required: ["key"] + type: "object" + } + type: "array" + } + name: type: "string" + } + required: [ + "items", + "name", + ] + type: "object" + } + } + type: "object" + } + type: "array" + } + type: type: "string" + } + type: "object" + } + } + type: "object" + } + } + required: [ + "secretStoreRef", + "target", + ] + type: "object" + } + status: { + properties: { + binding: { + description: "Binding represents a servicebinding.io Provisioned Service reference to the secret" + properties: name: { + description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + conditions: { + items: { + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + refreshTime: { + description: "refreshTime is the time and date the external secret was fetched and the target secret updated" + format: "date-time" + nullable: true + type: "string" + } + syncedResourceVersion: { + description: "SyncedResourceVersion keeps track of the last synced version" + type: "string" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: false + subresources: status: {} + }, { + additionalPrinterColumns: [{ + jsonPath: ".spec.secretStoreRef.name" + name: "Store" + type: "string" + }, { + jsonPath: ".spec.refreshInterval" + name: "Refresh Interval" + type: "string" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + name: "Ready" + type: "string" + }] + name: "v1beta1" + schema: openAPIV3Schema: { + description: "ExternalSecret is the Schema for the external-secrets API." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "ExternalSecretSpec defines the desired state of ExternalSecret." + properties: { + data: { + description: "Data defines the connection between the Kubernetes Secret keys and the Provider data" + items: { + description: "ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data." + properties: { + remoteRef: { + description: "RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + decodingStrategy: { + default: "None" + description: "Used to define a decoding Strategy" + type: "string" + } + key: { + description: "Key is the key used in the Provider, mandatory" + type: "string" + } + metadataPolicy: { + description: "Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None" + type: "string" + } + property: { + description: "Used to select a specific property of the Provider value (if a map), if supported" + type: "string" + } + version: { + description: "Used to select a specific version of the Provider value, if supported" + type: "string" + } + } + required: ["key"] + type: "object" + } + secretKey: { + description: "SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret" + type: "string" + } + sourceRef: { + description: "SourceRef allows you to override the source from which the value will pulled from." + maxProperties: 1 + properties: { + generatorRef: { + description: "GeneratorRef points to a generator custom resource in" + properties: { + apiVersion: { + default: "generators.external-secrets.io/v1alpha1" + description: "Specify the apiVersion of the generator resource" + type: "string" + } + kind: { + description: "Specify the Kind of the resource, e.g. Password, ACRAccessToken etc." + type: "string" + } + name: { + description: "Specify the name of the generator resource" + type: "string" + } + } + required: [ + "kind", + "name", + ] + type: "object" + } + storeRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: ["name"] + type: "object" + } + } + type: "object" + } + } + required: [ + "remoteRef", + "secretKey", + ] + type: "object" + } + type: "array" + } + dataFrom: { + description: "DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order" + items: { + properties: { + extract: { + description: "Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + decodingStrategy: { + default: "None" + description: "Used to define a decoding Strategy" + type: "string" + } + key: { + description: "Key is the key used in the Provider, mandatory" + type: "string" + } + metadataPolicy: { + description: "Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None" + type: "string" + } + property: { + description: "Used to select a specific property of the Provider value (if a map), if supported" + type: "string" + } + version: { + description: "Used to select a specific version of the Provider value, if supported" + type: "string" + } + } + required: ["key"] + type: "object" + } + find: { + description: "Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef." + properties: { + conversionStrategy: { + default: "Default" + description: "Used to define a conversion Strategy" + type: "string" + } + decodingStrategy: { + default: "None" + description: "Used to define a decoding Strategy" + type: "string" + } + name: { + description: "Finds secrets based on the name." + properties: regexp: { + description: "Finds secrets base" + type: "string" + } + type: "object" + } + path: { + description: "A root path to start the find operations." + type: "string" + } + tags: { + additionalProperties: type: "string" + description: "Find secrets based on tags." + type: "object" + } + } + type: "object" + } + rewrite: { + description: "Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)" + items: { + properties: regexp: { + description: "Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation." + properties: { + source: { + description: "Used to define the regular expression of a re.Compiler." + type: "string" + } + target: { + description: "Used to define the target pattern of a ReplaceAll operation." + type: "string" + } + } + required: [ + "source", + "target", + ] + type: "object" + } + type: "object" + } + type: "array" + } + sourceRef: { + description: "SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values" + maxProperties: 1 + properties: { + generatorRef: { + description: "GeneratorRef points to a generator custom resource in" + properties: { + apiVersion: { + default: "generators.external-secrets.io/v1alpha1" + description: "Specify the apiVersion of the generator resource" + type: "string" + } + kind: { + description: "Specify the Kind of the resource, e.g. Password, ACRAccessToken etc." + type: "string" + } + name: { + description: "Specify the name of the generator resource" + type: "string" + } + } + required: [ + "kind", + "name", + ] + type: "object" + } + storeRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: ["name"] + type: "object" + } + } + type: "object" + } + } + type: "object" + } + type: "array" + } + refreshInterval: { + default: "1h" + description: "RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\" May be set to zero to fetch and create it once. Defaults to 1h." + type: "string" + } + secretStoreRef: { + description: "SecretStoreRef defines which SecretStore to fetch the ExternalSecret data." + properties: { + kind: { + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + name: { + description: "Name of the SecretStore resource" + type: "string" + } + } + required: ["name"] + type: "object" + } + target: { + default: { + creationPolicy: "Owner" + deletionPolicy: "Retain" + } + description: "ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret." + properties: { + creationPolicy: { + default: "Owner" + description: "CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'" + enum: [ + "Owner", + "Orphan", + "Merge", + "None", + ] + type: "string" + } + deletionPolicy: { + default: "Retain" + description: "DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'" + enum: [ + "Delete", + "Merge", + "Retain", + ] + type: "string" + } + immutable: { + description: "Immutable defines if the final secret will be immutable" + type: "boolean" + } + name: { + description: "Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource" + type: "string" + } + template: { + description: "Template defines a blueprint for the created Secret resource." + properties: { + data: { + additionalProperties: type: "string" + type: "object" + } + engineVersion: { + default: "v2" + type: "string" + } + mergePolicy: { + default: "Replace" + type: "string" + } + metadata: { + description: "ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint." + properties: { + annotations: { + additionalProperties: type: "string" + type: "object" + } + labels: { + additionalProperties: type: "string" + type: "object" + } + } + type: "object" + } + templateFrom: { + items: { + properties: { + configMap: { + properties: { + items: { + items: { + properties: { + key: type: "string" + templateAs: { + default: "Values" + type: "string" + } + } + required: ["key"] + type: "object" + } + type: "array" + } + name: type: "string" + } + required: [ + "items", + "name", + ] + type: "object" + } + literal: type: "string" + secret: { + properties: { + items: { + items: { + properties: { + key: type: "string" + templateAs: { + default: "Values" + type: "string" + } + } + required: ["key"] + type: "object" + } + type: "array" + } + name: type: "string" + } + required: [ + "items", + "name", + ] + type: "object" + } + target: { + default: "Data" + type: "string" + } + } + type: "object" + } + type: "array" + } + type: type: "string" + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + status: { + properties: { + binding: { + description: "Binding represents a servicebinding.io Provisioned Service reference to the secret" + properties: name: { + description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?" + type: "string" + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + conditions: { + items: { + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + refreshTime: { + description: "refreshTime is the time and date the external secret was fetched and the target secret updated" + format: "date-time" + nullable: true + type: "string" + } + syncedResourceVersion: { + description: "SyncedResourceVersion keeps track of the last synced version" + type: "string" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + // Source: external-secrets/templates/crds/fake.yaml + apiVersion: + "apiextensions.k8s.io/v1", kind: + "CustomResourceDefinition", metadata: { + + annotations: { + "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + "controller-gen.kubebuilder.io/version": "v0.13.0" + } + name: "fakes.generators.external-secrets.io" + }, spec: { + + group: "generators.external-secrets.io" + names: { + categories: ["fake"] + kind: "Fake" + listKind: "FakeList" + plural: "fakes" + shortNames: ["fake"] + singular: "fake" + } + scope: "Namespaced" + versions: [{ + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "Fake generator is used for testing. It lets you define a static set of credentials that is always returned." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "FakeSpec contains the static data." + properties: { + controller: { + description: "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property" + type: "string" + } + data: { + additionalProperties: type: "string" + description: "Data defines the static data returned by this generator." + type: "object" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + // Source: external-secrets/templates/crds/gcraccesstoken.yaml + apiVersion: + "apiextensions.k8s.io/v1", kind: + "CustomResourceDefinition", metadata: { + + annotations: { + "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + "controller-gen.kubebuilder.io/version": "v0.13.0" + } + name: "gcraccesstokens.generators.external-secrets.io" + }, spec: { + + group: "generators.external-secrets.io" + names: { + categories: ["gcraccesstoken"] + kind: "GCRAccessToken" + listKind: "GCRAccessTokenList" + plural: "gcraccesstokens" + shortNames: ["gcraccesstoken"] + singular: "gcraccesstoken" + } + scope: "Namespaced" + versions: [{ + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "GCRAccessToken generates an GCP access token that can be used to authenticate with GCR." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + properties: { + auth: { + description: "Auth defines the means for authenticating with GCP" + properties: { + secretRef: { + properties: secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + workloadIdentity: { + properties: { + clusterLocation: type: "string" + clusterName: type: "string" + clusterProjectID: type: "string" + serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "clusterLocation", + "clusterName", + "serviceAccountRef", + ] + type: "object" + } + } + type: "object" + } + projectID: { + description: "ProjectID defines which project to use to authenticate with" + type: "string" + } + } + required: [ + "auth", + "projectID", + ] + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + // Source: external-secrets/templates/crds/password.yaml + apiVersion: + "apiextensions.k8s.io/v1", kind: + "CustomResourceDefinition", metadata: { + + annotations: { + "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + "controller-gen.kubebuilder.io/version": "v0.13.0" + } + name: "passwords.generators.external-secrets.io" + }, spec: { + + group: "generators.external-secrets.io" + names: { + categories: ["password"] + kind: "Password" + listKind: "PasswordList" + plural: "passwords" + shortNames: ["password"] + singular: "password" + } + scope: "Namespaced" + versions: [{ + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "PasswordSpec controls the behavior of the password generator." + properties: { + allowRepeat: { + default: false + description: "set AllowRepeat to true to allow repeating characters." + type: "boolean" + } + digits: { + description: "Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password" + type: "integer" + } + length: { + default: 24 + description: "Length of the password to be generated. Defaults to 24" + type: "integer" + } + noUpper: { + default: false + description: "Set NoUpper to disable uppercase characters" + type: "boolean" + } + symbolCharacters: { + description: "SymbolCharacters specifies the special characters that should be used in the generated password." + type: "string" + } + symbols: { + description: "Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password" + type: "integer" + } + } + required: [ + "allowRepeat", + "length", + "noUpper", + ] + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + // Source: external-secrets/templates/crds/pushsecret.yaml + apiVersion: + "apiextensions.k8s.io/v1", kind: + "CustomResourceDefinition", metadata: { + + annotations: { + "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + "controller-gen.kubebuilder.io/version": "v0.13.0" + } + name: "pushsecrets.external-secrets.io" + }, spec: { + + group: "external-secrets.io" + names: { + categories: ["pushsecrets"] + kind: "PushSecret" + listKind: "PushSecretList" + plural: "pushsecrets" + singular: "pushsecret" + } + scope: "Namespaced" + versions: [{ + additionalPrinterColumns: [{ + jsonPath: ".metadata.creationTimestamp" + name: "AGE" + type: "date" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }] + name: "v1alpha1" + schema: openAPIV3Schema: { + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "PushSecretSpec configures the behavior of the PushSecret." + properties: { + data: { + description: "Secret Data that should be pushed to providers" + items: { + properties: { + match: { + description: "Match a given Secret Key to be pushed to the provider." + properties: { + remoteRef: { + description: "Remote Refs to push to providers." + properties: { + property: { + description: "Name of the property in the resulting secret" + type: "string" + } + remoteKey: { + description: "Name of the resulting provider secret." + type: "string" + } + } + required: ["remoteKey"] + type: "object" + } + secretKey: { + description: "Secret Key to be pushed" + type: "string" + } + } + required: [ + "remoteRef", + "secretKey", + ] + type: "object" + } + metadata: { + description: "Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation." + "x-kubernetes-preserve-unknown-fields": true + } + } + required: ["match"] + type: "object" + } + type: "array" + } + deletionPolicy: { + default: "None" + description: "Deletion Policy to handle Secrets in the provider. Possible Values: \"Delete/None\". Defaults to \"None\"." + type: "string" + } + refreshInterval: { + description: "The Interval to which External Secrets will try to push a secret definition" + type: "string" + } + secretStoreRefs: { + items: { + properties: { + kind: { + default: "SecretStore" + description: "Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`" + type: "string" + } + labelSelector: { + description: "Optionally, sync to secret stores with label selector" + properties: { + matchExpressions: { + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: { + description: "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values." + properties: { + key: { + description: "key is the label key that the selector applies to." + type: "string" + } + operator: { + description: "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + } + values: { + description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch." + items: type: "string" + type: "array" + } + } + required: [ + "key", + "operator", + ] + type: "object" + } + type: "array" + } + matchLabels: { + additionalProperties: type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + } + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + name: { + description: "Optionally, sync to the SecretStore of the given name" + type: "string" + } + } + type: "object" + } + type: "array" + } + selector: { + description: "The Secret Selector (k8s source) for the Push Secret" + properties: secret: { + description: "Select a Secret to Push." + properties: name: { + description: "Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest." + type: "string" + } + required: ["name"] + type: "object" + } + required: ["secret"] + type: "object" + } + } + required: [ + "secretStoreRefs", + "selector", + ] + type: "object" + } + status: { + description: "PushSecretStatus indicates the history of the status of PushSecret." + properties: { + conditions: { + items: { + description: "PushSecretStatusCondition indicates the status of the PushSecret." + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: { + description: "PushSecretConditionType indicates the condition of the PushSecret." + type: "string" + } + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + refreshTime: { + description: "refreshTime is the time and date the external secret was fetched and the target secret updated" + format: "date-time" + nullable: true + type: "string" + } + syncedPushSecrets: { + additionalProperties: { + additionalProperties: { + properties: { + match: { + description: "Match a given Secret Key to be pushed to the provider." + properties: { + remoteRef: { + description: "Remote Refs to push to providers." + properties: { + property: { + description: "Name of the property in the resulting secret" + type: "string" + } + remoteKey: { + description: "Name of the resulting provider secret." + type: "string" + } + } + required: ["remoteKey"] + type: "object" + } + secretKey: { + description: "Secret Key to be pushed" + type: "string" + } + } + required: [ + "remoteRef", + "secretKey", + ] + type: "object" + } + metadata: { + description: "Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation." + "x-kubernetes-preserve-unknown-fields": true + } + } + required: ["match"] + type: "object" + } + type: "object" + } + description: "Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore." + type: "object" + } + syncedResourceVersion: { + description: "SyncedResourceVersion keeps track of the last synced version." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + // Source: external-secrets/templates/crds/secretstore.yaml + apiVersion: + "apiextensions.k8s.io/v1", kind: + "CustomResourceDefinition", metadata: { + + annotations: { + "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + "controller-gen.kubebuilder.io/version": "v0.13.0" + } + name: "secretstores.external-secrets.io" + }, spec: { + + group: "external-secrets.io" + names: { + categories: ["externalsecrets"] + kind: "SecretStore" + listKind: "SecretStoreList" + plural: "secretstores" + shortNames: ["ss"] + singular: "secretstore" + } + scope: "Namespaced" + versions: [{ + additionalPrinterColumns: [{ + jsonPath: ".metadata.creationTimestamp" + name: "AGE" + type: "date" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }] + deprecated: true + name: "v1alpha1" + schema: openAPIV3Schema: { + description: "SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "SecretStoreSpec defines the desired state of SecretStore." + properties: { + controller: { + description: "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property" + type: "string" + } + provider: { + description: "Used to configure the provider. Only one provider may be set" + maxProperties: 1 + minProperties: 1 + properties: { + akeyless: { + description: "Akeyless configures this store to sync secrets using Akeyless Vault provider" + properties: { + akeylessGWApiURL: { + description: "Akeyless GW API Url from which the secrets to be fetched from." + type: "string" + } + authSecretRef: { + description: "Auth configures how the operator authenticates with Akeyless." + properties: { + kubernetesAuth: { + description: "Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource." + properties: { + accessID: { + description: "the Akeyless Kubernetes auth-method access-id" + type: "string" + } + k8sConfName: { + description: "Kubernetes-auth configuration name in Akeyless-Gateway" + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "accessID", + "k8sConfName", + ] + type: "object" + } + secretRef: { + description: "Reference to a Secret that contains the details to authenticate with Akeyless." + properties: { + accessID: { + description: "The SecretAccessID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessType: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessTypeParam: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Akeyless Gateway certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + } + required: [ + "akeylessGWApiURL", + "authSecretRef", + ] + type: "object" + } + alibaba: { + description: "Alibaba configures this store to sync secrets using Alibaba Cloud provider" + properties: { + auth: { + description: "AlibabaAuth contains a secretRef for credentials." + properties: { + rrsa: { + description: "Authenticate against Alibaba using RRSA." + properties: { + oidcProviderArn: type: "string" + oidcTokenFilePath: type: "string" + roleArn: type: "string" + sessionName: type: "string" + } + required: [ + "oidcProviderArn", + "oidcTokenFilePath", + "roleArn", + "sessionName", + ] + type: "object" + } + secretRef: { + description: "AlibabaAuthSecretRef holds secret references for Alibaba credentials." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessKeySecretSecretRef: { + description: "The AccessKeySecret is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "accessKeyIDSecretRef", + "accessKeySecretSecretRef", + ] + type: "object" + } + } + type: "object" + } + regionID: { + description: "Alibaba Region to be used for the provider" + type: "string" + } + } + required: [ + "auth", + "regionID", + ] + type: "object" + } + aws: { + description: "AWS configures this store to sync secrets using AWS Secret Manager provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" + properties: { + jwt: { + description: "Authenticate against AWS using service account tokens." + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + secretRef: { + description: "AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + region: { + description: "AWS Region to be used for the provider" + type: "string" + } + role: { + description: "Role is a Role ARN which the SecretManager provider will assume" + type: "string" + } + service: { + description: "Service defines which service should be used to fetch the secrets" + enum: [ + "SecretsManager", + "ParameterStore", + ] + type: "string" + } + } + required: [ + "region", + "service", + ] + type: "object" + } + azurekv: { + description: "AzureKV configures this store to sync secrets using Azure Key Vault provider" + properties: { + authSecretRef: { + description: "Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type." + properties: { + clientId: { + description: "The Azure clientId of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "The Azure ClientSecret of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + authType: { + default: "ServicePrincipal" + description: "Auth type defines how to authenticate to the keyvault service. Valid values are: - \"ServicePrincipal\" (default): Using a service principal (tenantId, clientId, clientSecret) - \"ManagedIdentity\": Using Managed Identity assigned to the pod (see aad-pod-identity)" + enum: [ + "ServicePrincipal", + "ManagedIdentity", + "WorkloadIdentity", + ] + type: "string" + } + identityId: { + description: "If multiple Managed Identity is assigned to the pod, you can select the one to be used" + type: "string" + } + serviceAccountRef: { + description: "ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + tenantId: { + description: "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type." + type: "string" + } + vaultUrl: { + description: "Vault Url from which the secrets to be fetched from." + type: "string" + } + } + required: ["vaultUrl"] + type: "object" + } + fake: { + description: "Fake configures a store with static key/value pairs" + properties: data: { + items: { + properties: { + key: type: "string" + value: type: "string" + valueMap: { + additionalProperties: type: "string" + type: "object" + } + version: type: "string" + } + required: ["key"] + type: "object" + } + type: "array" + } + required: ["data"] + type: "object" + } + gcpsm: { + description: "GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against GCP" + properties: { + secretRef: { + properties: secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + workloadIdentity: { + properties: { + clusterLocation: type: "string" + clusterName: type: "string" + clusterProjectID: type: "string" + serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "clusterLocation", + "clusterName", + "serviceAccountRef", + ] + type: "object" + } + } + type: "object" + } + projectID: { + description: "ProjectID project where secret is located" + type: "string" + } + } + type: "object" + } + gitlab: { + description: "GitLab configures this store to sync secrets using GitLab Variables provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a GitLab instance." + properties: SecretRef: { + properties: accessToken: { + description: "AccessToken is used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + required: ["SecretRef"] + type: "object" + } + projectID: { + description: "ProjectID specifies a project where secrets are located." + type: "string" + } + url: { + description: "URL configures the GitLab instance URL. Defaults to https://gitlab.com/." + type: "string" + } + } + required: ["auth"] + type: "object" + } + ibm: { + description: "IBM configures this store to sync secrets using IBM Cloud provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the IBM secrets manager." + properties: secretRef: { + properties: secretApiKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + required: ["secretRef"] + type: "object" + } + serviceUrl: { + description: "ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance" + type: "string" + } + } + required: ["auth"] + type: "object" + } + kubernetes: { + description: "Kubernetes configures this store to sync secrets using a Kubernetes cluster provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a Kubernetes instance." + maxProperties: 1 + minProperties: 1 + properties: { + cert: { + description: "has both clientCert and clientKey as secretKeySelector" + properties: { + clientCert: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientKey: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + serviceAccount: { + description: "points to a service account that should be used for authentication" + properties: serviceAccount: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + token: { + description: "use static token to authenticate with" + properties: bearerToken: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + type: "object" + } + remoteNamespace: { + default: "default" + description: "Remote namespace to fetch the secrets from" + type: "string" + } + server: { + description: "configures the Kubernetes server Address." + properties: { + caBundle: { + description: "CABundle is a base64-encoded CA certificate" + format: "byte" + type: "string" + } + caProvider: { + description: "see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider" + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + url: { + default: "kubernetes.default" + description: "configures the Kubernetes server Address." + type: "string" + } + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + oracle: { + description: "Oracle configures this store to sync secrets using Oracle Vault provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth." + properties: { + secretRef: { + description: "SecretRef to pass through sensitive information." + properties: { + fingerprint: { + description: "Fingerprint is the fingerprint of the API private key." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + privatekey: { + description: "PrivateKey is the user's API Signing Key in PEM format, used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "fingerprint", + "privatekey", + ] + type: "object" + } + tenancy: { + description: "Tenancy is the tenancy OCID where user is located." + type: "string" + } + user: { + description: "User is an access OCID specific to the account." + type: "string" + } + } + required: [ + "secretRef", + "tenancy", + "user", + ] + type: "object" + } + region: { + description: "Region is the region where vault is located." + type: "string" + } + vault: { + description: "Vault is the vault's OCID of the specific vault where secret is located." + type: "string" + } + } + required: [ + "region", + "vault", + ] + type: "object" + } + vault: { + description: "Vault configures this store to sync secrets using Hashi provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Vault server." + properties: { + appRole: { + description: "AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource." + properties: { + path: { + default: "approle" + description: "Path where the App Role authentication backend is mounted in Vault, e.g: \"approle\"" + type: "string" + } + roleId: { + description: "RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault." + type: "string" + } + secretRef: { + description: "Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "path", + "roleId", + "secretRef", + ] + type: "object" + } + cert: { + description: "Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method" + properties: { + clientCert: { + description: "ClientCert is a certificate to authenticate using the Cert Vault authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + jwt: { + description: "Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method" + properties: { + kubernetesServiceAccountToken: { + description: "Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API." + properties: { + audiences: { + description: "Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified." + items: type: "string" + type: "array" + } + expirationSeconds: { + description: "Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes." + format: "int64" + type: "integer" + } + serviceAccountRef: { + description: "Service account field containing the name of a kubernetes ServiceAccount." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: ["serviceAccountRef"] + type: "object" + } + path: { + default: "jwt" + description: "Path where the JWT authentication backend is mounted in Vault, e.g: \"jwt\"" + type: "string" + } + role: { + description: "Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method" + type: "string" + } + secretRef: { + description: "Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: ["path"] + type: "object" + } + kubernetes: { + description: "Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server." + properties: { + mountPath: { + default: "kubernetes" + description: "Path where the Kubernetes authentication backend is mounted in Vault, e.g: \"kubernetes\"" + type: "string" + } + role: { + description: "A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies." + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "mountPath", + "role", + ] + type: "object" + } + ldap: { + description: "Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method" + properties: { + path: { + default: "ldap" + description: "Path where the LDAP authentication backend is mounted in Vault, e.g: \"ldap\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a LDAP user name used to authenticate using the LDAP Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + tokenSecretRef: { + description: "TokenSecretRef authenticates with Vault by presenting a token." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Vault server certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + forwardInconsistent: { + description: "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header" + type: "boolean" + } + namespace: { + description: "Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces" + type: "string" + } + path: { + description: "Path is the mount path of the Vault KV backend endpoint, e.g: \"secret\". The v2 KV secret engine version specific \"/data\" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path." + type: "string" + } + readYourWrites: { + description: "ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency" + type: "boolean" + } + server: { + description: "Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\"." + type: "string" + } + version: { + default: "v2" + description: "Version is the Vault KV secret engine version. This can be either \"v1\" or \"v2\". Version defaults to \"v2\"." + enum: [ + "v1", + "v2", + ] + type: "string" + } + } + required: [ + "auth", + "server", + ] + type: "object" + } + webhook: { + description: "Webhook configures this store to sync secrets using a generic templated webhook" + properties: { + body: { + description: "Body" + type: "string" + } + caBundle: { + description: "PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate webhook server certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + headers: { + additionalProperties: type: "string" + description: "Headers" + type: "object" + } + method: { + description: "Webhook Method" + type: "string" + } + result: { + description: "Result formatting" + properties: jsonPath: { + description: "Json path of return value" + type: "string" + } + type: "object" + } + secrets: { + description: "Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name" + items: { + properties: { + name: { + description: "Name of this secret in templates" + type: "string" + } + secretRef: { + description: "Secret ref to fill in credentials" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "name", + "secretRef", + ] + type: "object" + } + type: "array" + } + timeout: { + description: "Timeout" + type: "string" + } + url: { + description: "Webhook url to call" + type: "string" + } + } + required: [ + "result", + "url", + ] + type: "object" + } + yandexlockbox: { + description: "YandexLockbox configures this store to sync secrets using Yandex Lockbox provider" + properties: { + apiEndpoint: { + description: "Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')" + type: "string" + } + auth: { + description: "Auth defines the information necessary to authenticate against Yandex Lockbox" + properties: authorizedKeySecretRef: { + description: "The authorized key used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Yandex.Cloud server certificate." + properties: certSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + } + type: "object" + } + retrySettings: { + description: "Used to configure http retries if failed" + properties: { + maxRetries: { + format: "int32" + type: "integer" + } + retryInterval: type: "string" + } + type: "object" + } + } + required: ["provider"] + type: "object" + } + status: { + description: "SecretStoreStatus defines the observed state of the SecretStore." + properties: conditions: { + items: { + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + type: "object" + } + } + type: "object" + } + served: true + storage: false + subresources: status: {} + }, { + additionalPrinterColumns: [{ + jsonPath: ".metadata.creationTimestamp" + name: "AGE" + type: "date" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: "Status" + type: "string" + }, { + jsonPath: ".status.capabilities" + name: "Capabilities" + type: "string" + }, { + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + name: "Ready" + type: "string" + }] + name: "v1beta1" + schema: openAPIV3Schema: { + description: "SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + description: "SecretStoreSpec defines the desired state of SecretStore." + properties: { + conditions: { + description: "Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore" + items: { + description: "ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance." + properties: { + namespaceSelector: { + description: "Choose namespace using a labelSelector" + properties: { + matchExpressions: { + description: "matchExpressions is a list of label selector requirements. The requirements are ANDed." + items: { + description: "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values." + properties: { + key: { + description: "key is the label key that the selector applies to." + type: "string" + } + operator: { + description: "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist." + type: "string" + } + values: { + description: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch." + items: type: "string" + type: "array" + } + } + required: [ + "key", + "operator", + ] + type: "object" + } + type: "array" + } + matchLabels: { + additionalProperties: type: "string" + description: "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed." + type: "object" + } + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + namespaces: { + description: "Choose namespaces by name" + items: type: "string" + type: "array" + } + } + type: "object" + } + type: "array" + } + controller: { + description: "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property" + type: "string" + } + provider: { + description: "Used to configure the provider. Only one provider may be set" + maxProperties: 1 + minProperties: 1 + properties: { + akeyless: { + description: "Akeyless configures this store to sync secrets using Akeyless Vault provider" + properties: { + akeylessGWApiURL: { + description: "Akeyless GW API Url from which the secrets to be fetched from." + type: "string" + } + authSecretRef: { + description: "Auth configures how the operator authenticates with Akeyless." + properties: { + kubernetesAuth: { + description: "Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource." + properties: { + accessID: { + description: "the Akeyless Kubernetes auth-method access-id" + type: "string" + } + k8sConfName: { + description: "Kubernetes-auth configuration name in Akeyless-Gateway" + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "accessID", + "k8sConfName", + ] + type: "object" + } + secretRef: { + description: "Reference to a Secret that contains the details to authenticate with Akeyless." + properties: { + accessID: { + description: "The SecretAccessID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessType: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessTypeParam: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Akeyless Gateway certificate." + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + } + required: [ + "akeylessGWApiURL", + "authSecretRef", + ] + type: "object" + } + alibaba: { + description: "Alibaba configures this store to sync secrets using Alibaba Cloud provider" + properties: { + auth: { + description: "AlibabaAuth contains a secretRef for credentials." + properties: { + rrsa: { + description: "Authenticate against Alibaba using RRSA." + properties: { + oidcProviderArn: type: "string" + oidcTokenFilePath: type: "string" + roleArn: type: "string" + sessionName: type: "string" + } + required: [ + "oidcProviderArn", + "oidcTokenFilePath", + "roleArn", + "sessionName", + ] + type: "object" + } + secretRef: { + description: "AlibabaAuthSecretRef holds secret references for Alibaba credentials." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + accessKeySecretSecretRef: { + description: "The AccessKeySecret is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "accessKeyIDSecretRef", + "accessKeySecretSecretRef", + ] + type: "object" + } + } + type: "object" + } + regionID: { + description: "Alibaba Region to be used for the provider" + type: "string" + } + } + required: [ + "auth", + "regionID", + ] + type: "object" + } + aws: { + description: "AWS configures this store to sync secrets using AWS Secret Manager provider" + properties: { + additionalRoles: { + description: "AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role" + items: type: "string" + type: "array" + } + auth: { + description: "Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" + properties: { + jwt: { + description: "Authenticate against AWS using service account tokens." + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + secretRef: { + description: "AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate." + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + sessionTokenSecretRef: { + description: "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + } + type: "object" + } + externalID: { + description: "AWS External ID set on assumed IAM roles" + type: "string" + } + region: { + description: "AWS Region to be used for the provider" + type: "string" + } + role: { + description: "Role is a Role ARN which the SecretManager provider will assume" + type: "string" + } + service: { + description: "Service defines which service should be used to fetch the secrets" + enum: [ + "SecretsManager", + "ParameterStore", + ] + type: "string" + } + sessionTags: { + description: "AWS STS assume role session tags" + items: { + properties: { + key: type: "string" + value: type: "string" + } + required: [ + "key", + "value", + ] + type: "object" + } + type: "array" + } + transitiveTagKeys: { + description: "AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore" + items: type: "string" + type: "array" + } + } + required: [ + "region", + "service", + ] + type: "object" + } + azurekv: { + description: "AzureKV configures this store to sync secrets using Azure Key Vault provider" + properties: { + authSecretRef: { + description: "Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type." + properties: { + clientId: { + description: "The Azure clientId of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "The Azure ClientSecret of the service principle used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + authType: { + default: "ServicePrincipal" + description: "Auth type defines how to authenticate to the keyvault service. Valid values are: - \"ServicePrincipal\" (default): Using a service principal (tenantId, clientId, clientSecret) - \"ManagedIdentity\": Using Managed Identity assigned to the pod (see aad-pod-identity)" + enum: [ + "ServicePrincipal", + "ManagedIdentity", + "WorkloadIdentity", + ] + type: "string" + } + environmentType: { + default: "PublicCloud" + description: "EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud" + enum: [ + "PublicCloud", + "USGovernmentCloud", + "ChinaCloud", + "GermanCloud", + ] + type: "string" + } + identityId: { + description: "If multiple Managed Identity is assigned to the pod, you can select the one to be used" + type: "string" + } + serviceAccountRef: { + description: "ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + tenantId: { + description: "TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type." + type: "string" + } + vaultUrl: { + description: "Vault Url from which the secrets to be fetched from." + type: "string" + } + } + required: ["vaultUrl"] + type: "object" + } + conjur: { + description: "Conjur configures this store to sync secrets using conjur provider" + properties: { + auth: { + properties: apikey: { + properties: { + account: type: "string" + apiKeyRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + userRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "account", + "apiKeyRef", + "userRef", + ] + type: "object" + } + required: ["apikey"] + type: "object" + } + caBundle: type: "string" + url: type: "string" + } + required: [ + "auth", + "url", + ] + type: "object" + } + delinea: { + description: "Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current" + properties: { + clientId: { + description: "ClientID is the non-secret part of the credential." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + clientSecret: { + description: "ClientSecret is the secret part of the credential." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + tenant: { + description: "Tenant is the chosen hostname / site name." + type: "string" + } + tld: { + description: "TLD is based on the server location that was chosen during provisioning. If unset, defaults to \"com\"." + type: "string" + } + urlTemplate: { + description: "URLTemplate If unset, defaults to \"https://%s.secretsvaultcloud.%s/v1/%s%s\"." + type: "string" + } + } + required: [ + "clientId", + "clientSecret", + "tenant", + ] + type: "object" + } + doppler: { + description: "Doppler configures this store to sync secrets using the Doppler provider" + properties: { + auth: { + description: "Auth configures how the Operator authenticates with the Doppler API" + properties: secretRef: { + properties: dopplerToken: { + description: "The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + required: ["dopplerToken"] + type: "object" + } + required: ["secretRef"] + type: "object" + } + config: { + description: "Doppler config (required if not using a Service Token)" + type: "string" + } + format: { + description: "Format enables the downloading of secrets as a file (string)" + enum: [ + "json", + "dotnet-json", + "env", + "yaml", + "docker", + ] + type: "string" + } + nameTransformer: { + description: "Environment variable compatible name transforms that change secret names to a different format" + enum: [ + "upper-camel", + "camel", + "lower-snake", + "tf-var", + "dotnet-env", + "lower-kebab", + ] + type: "string" + } + project: { + description: "Doppler project (required if not using a Service Token)" + type: "string" + } + } + required: ["auth"] + type: "object" + } + fake: { + description: "Fake configures a store with static key/value pairs" + properties: data: { + items: { + properties: { + key: type: "string" + value: type: "string" + valueMap: { + additionalProperties: type: "string" + type: "object" + } + version: type: "string" + } + required: ["key"] + type: "object" + } + type: "array" + } + required: ["data"] + type: "object" + } + gcpsm: { + description: "GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against GCP" + properties: { + secretRef: { + properties: secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + workloadIdentity: { + properties: { + clusterLocation: type: "string" + clusterName: type: "string" + clusterProjectID: type: "string" + serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "clusterLocation", + "clusterName", + "serviceAccountRef", + ] + type: "object" + } + } + type: "object" + } + projectID: { + description: "ProjectID project where secret is located" + type: "string" + } + } + type: "object" + } + gitlab: { + description: "GitLab configures this store to sync secrets using GitLab Variables provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a GitLab instance." + properties: SecretRef: { + properties: accessToken: { + description: "AccessToken is used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + required: ["SecretRef"] + type: "object" + } + environment: { + description: "Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)" + type: "string" + } + groupIDs: { + description: "GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables." + items: type: "string" + type: "array" + } + inheritFromGroups: { + description: "InheritFromGroups specifies whether parent groups should be discovered and checked for secrets." + type: "boolean" + } + projectID: { + description: "ProjectID specifies a project where secrets are located." + type: "string" + } + url: { + description: "URL configures the GitLab instance URL. Defaults to https://gitlab.com/." + type: "string" + } + } + required: ["auth"] + type: "object" + } + ibm: { + description: "IBM configures this store to sync secrets using IBM Cloud provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the IBM secrets manager." + maxProperties: 1 + minProperties: 1 + properties: { + containerAuth: { + description: "IBM Container-based auth with IAM Trusted Profile." + properties: { + iamEndpoint: type: "string" + profile: { + description: "the IBM Trusted Profile" + type: "string" + } + tokenLocation: { + description: "Location the token is mounted on the pod" + type: "string" + } + } + required: ["profile"] + type: "object" + } + secretRef: { + properties: secretApiKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + type: "object" + } + serviceUrl: { + description: "ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance" + type: "string" + } + } + required: ["auth"] + type: "object" + } + keepersecurity: { + description: "KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider" + properties: { + authRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + folderID: type: "string" + } + required: [ + "authRef", + "folderID", + ] + type: "object" + } + kubernetes: { + description: "Kubernetes configures this store to sync secrets using a Kubernetes cluster provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with a Kubernetes instance." + maxProperties: 1 + minProperties: 1 + properties: { + cert: { + description: "has both clientCert and clientKey as secretKeySelector" + properties: { + clientCert: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + clientKey: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + serviceAccount: { + description: "points to a service account that should be used for authentication" + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + token: { + description: "use static token to authenticate with" + properties: bearerToken: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + type: "object" + } + remoteNamespace: { + default: "default" + description: "Remote namespace to fetch the secrets from" + type: "string" + } + server: { + description: "configures the Kubernetes server Address." + properties: { + caBundle: { + description: "CABundle is a base64-encoded CA certificate" + format: "byte" + type: "string" + } + caProvider: { + description: "see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider" + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + url: { + default: "kubernetes.default" + description: "configures the Kubernetes server Address." + type: "string" + } + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + onepassword: { + description: "OnePassword configures this store to sync secrets using the 1Password Cloud provider" + properties: { + auth: { + description: "Auth defines the information necessary to authenticate against OnePassword Connect Server" + properties: secretRef: { + description: "OnePasswordAuthSecretRef holds secret references for 1Password credentials." + properties: connectTokenSecretRef: { + description: "The ConnectToken is used for authentication to a 1Password Connect Server." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + required: ["connectTokenSecretRef"] + type: "object" + } + required: ["secretRef"] + type: "object" + } + connectHost: { + description: "ConnectHost defines the OnePassword Connect Server to connect to" + type: "string" + } + vaults: { + additionalProperties: type: "integer" + description: "Vaults defines which OnePassword vaults to search in which order" + type: "object" + } + } + required: [ + "auth", + "connectHost", + "vaults", + ] + type: "object" + } + oracle: { + description: "Oracle configures this store to sync secrets using Oracle Vault provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth." + properties: { + secretRef: { + description: "SecretRef to pass through sensitive information." + properties: { + fingerprint: { + description: "Fingerprint is the fingerprint of the API private key." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + privatekey: { + description: "PrivateKey is the user's API Signing Key in PEM format, used for authentication." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "fingerprint", + "privatekey", + ] + type: "object" + } + tenancy: { + description: "Tenancy is the tenancy OCID where user is located." + type: "string" + } + user: { + description: "User is an access OCID specific to the account." + type: "string" + } + } + required: [ + "secretRef", + "tenancy", + "user", + ] + type: "object" + } + region: { + description: "Region is the region where vault is located." + type: "string" + } + vault: { + description: "Vault is the vault's OCID of the specific vault where secret is located." + type: "string" + } + } + required: [ + "region", + "vault", + ] + type: "object" + } + scaleway: { + description: "Scaleway" + properties: { + accessKey: { + description: "AccessKey is the non-secret part of the api key." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + apiUrl: { + description: "APIURL is the url of the api to use. Defaults to https://api.scaleway.com" + type: "string" + } + projectId: { + description: "ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings" + type: "string" + } + region: { + description: "Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone" + type: "string" + } + secretKey: { + description: "SecretKey is the non-secret part of the api key." + properties: { + secretRef: { + description: "SecretRef references a key in a secret that will be used as value." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + value: { + description: "Value can be specified directly to set a value without using a secret." + type: "string" + } + } + type: "object" + } + } + required: [ + "accessKey", + "projectId", + "region", + "secretKey", + ] + type: "object" + } + senhasegura: { + description: "Senhasegura configures this store to sync secrets using senhasegura provider" + properties: { + auth: { + description: "Auth defines parameters to authenticate in senhasegura" + properties: { + clientId: type: "string" + clientSecretSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "clientId", + "clientSecretSecretRef", + ] + type: "object" + } + ignoreSslCertificate: { + default: false + description: "IgnoreSslCertificate defines if SSL certificate must be ignored" + type: "boolean" + } + module: { + description: "Module defines which senhasegura module should be used to get secrets" + type: "string" + } + url: { + description: "URL of senhasegura" + type: "string" + } + } + required: [ + "auth", + "module", + "url", + ] + type: "object" + } + vault: { + description: "Vault configures this store to sync secrets using Hashi provider" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Vault server." + properties: { + appRole: { + description: "AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource." + properties: { + path: { + default: "approle" + description: "Path where the App Role authentication backend is mounted in Vault, e.g: \"approle\"" + type: "string" + } + roleId: { + description: "RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault." + type: "string" + } + roleRef: { + description: "Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "path", + "secretRef", + ] + type: "object" + } + cert: { + description: "Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method" + properties: { + clientCert: { + description: "ClientCert is a certificate to authenticate using the Cert Vault authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + iam: { + description: "Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method" + properties: { + externalID: { + description: "AWS External ID set on assumed IAM roles" + type: "string" + } + jwt: { + description: "Specify a service account with IRSA enabled" + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + path: { + description: "Path where the AWS auth method is enabled in Vault, e.g: \"aws\"" + type: "string" + } + region: { + description: "AWS region" + type: "string" + } + role: { + description: "This is the AWS role to be assumed before talking to vault" + type: "string" + } + secretRef: { + description: "Specify credentials in a Secret object" + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + sessionTokenSecretRef: { + description: "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + vaultAwsIamServerID: { + description: "X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws" + type: "string" + } + vaultRole: { + description: "Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine" + type: "string" + } + } + required: ["vaultRole"] + type: "object" + } + jwt: { + description: "Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method" + properties: { + kubernetesServiceAccountToken: { + description: "Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API." + properties: { + audiences: { + description: "Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead" + items: type: "string" + type: "array" + } + expirationSeconds: { + description: "Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes." + format: "int64" + type: "integer" + } + serviceAccountRef: { + description: "Service account field containing the name of a kubernetes ServiceAccount." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: ["serviceAccountRef"] + type: "object" + } + path: { + default: "jwt" + description: "Path where the JWT authentication backend is mounted in Vault, e.g: \"jwt\"" + type: "string" + } + role: { + description: "Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method" + type: "string" + } + secretRef: { + description: "Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: ["path"] + type: "object" + } + kubernetes: { + description: "Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server." + properties: { + mountPath: { + default: "kubernetes" + description: "Path where the Kubernetes authentication backend is mounted in Vault, e.g: \"kubernetes\"" + type: "string" + } + role: { + description: "A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies." + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "mountPath", + "role", + ] + type: "object" + } + ldap: { + description: "Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method" + properties: { + path: { + default: "ldap" + description: "Path where the LDAP authentication backend is mounted in Vault, e.g: \"ldap\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a LDAP user name used to authenticate using the LDAP Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + tokenSecretRef: { + description: "TokenSecretRef authenticates with Vault by presenting a token." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + userPass: { + description: "UserPass authenticates with Vault by passing username/password pair" + properties: { + path: { + default: "user" + description: "Path where the UserPassword authentication backend is mounted in Vault, e.g: \"user\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a user name used to authenticate using the UserPass Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Vault server certificate." + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + forwardInconsistent: { + description: "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header" + type: "boolean" + } + namespace: { + description: "Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces" + type: "string" + } + path: { + description: "Path is the mount path of the Vault KV backend endpoint, e.g: \"secret\". The v2 KV secret engine version specific \"/data\" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path." + type: "string" + } + readYourWrites: { + description: "ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency" + type: "boolean" + } + server: { + description: "Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\"." + type: "string" + } + version: { + default: "v2" + description: "Version is the Vault KV secret engine version. This can be either \"v1\" or \"v2\". Version defaults to \"v2\"." + enum: [ + "v1", + "v2", + ] + type: "string" + } + } + required: [ + "auth", + "server", + ] + type: "object" + } + webhook: { + description: "Webhook configures this store to sync secrets using a generic templated webhook" + properties: { + body: { + description: "Body" + type: "string" + } + caBundle: { + description: "PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate webhook server certificate." + properties: { + key: { + description: "The key the value inside of the provider type to use, only used with \"Secret\" type" + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + headers: { + additionalProperties: type: "string" + description: "Headers" + type: "object" + } + method: { + description: "Webhook Method" + type: "string" + } + result: { + description: "Result formatting" + properties: jsonPath: { + description: "Json path of return value" + type: "string" + } + type: "object" + } + secrets: { + description: "Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name" + items: { + properties: { + name: { + description: "Name of this secret in templates" + type: "string" + } + secretRef: { + description: "Secret ref to fill in credentials" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "name", + "secretRef", + ] + type: "object" + } + type: "array" + } + timeout: { + description: "Timeout" + type: "string" + } + url: { + description: "Webhook url to call" + type: "string" + } + } + required: [ + "result", + "url", + ] + type: "object" + } + yandexcertificatemanager: { + description: "YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider" + properties: { + apiEndpoint: { + description: "Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')" + type: "string" + } + auth: { + description: "Auth defines the information necessary to authenticate against Yandex Certificate Manager" + properties: authorizedKeySecretRef: { + description: "The authorized key used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Yandex.Cloud server certificate." + properties: certSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + yandexlockbox: { + description: "YandexLockbox configures this store to sync secrets using Yandex Lockbox provider" + properties: { + apiEndpoint: { + description: "Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')" + type: "string" + } + auth: { + description: "Auth defines the information necessary to authenticate against Yandex Lockbox" + properties: authorizedKeySecretRef: { + description: "The authorized key used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Yandex.Cloud server certificate." + properties: certSecretRef: { + description: "A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + type: "object" + } + } + required: ["auth"] + type: "object" + } + } + type: "object" + } + refreshInterval: { + description: "Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config." + type: "integer" + } + retrySettings: { + description: "Used to configure http retries if failed" + properties: { + maxRetries: { + format: "int32" + type: "integer" + } + retryInterval: type: "string" + } + type: "object" + } + } + required: ["provider"] + type: "object" + } + status: { + description: "SecretStoreStatus defines the observed state of the SecretStore." + properties: { + capabilities: { + description: "SecretStoreCapabilities defines the possible operations a SecretStore can do." + type: "string" + } + conditions: { + items: { + properties: { + lastTransitionTime: { + format: "date-time" + type: "string" + } + message: type: "string" + reason: type: "string" + status: type: "string" + type: type: "string" + } + required: [ + "status", + "type", + ] + type: "object" + } + type: "array" + } + } + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}, { + // Source: external-secrets/templates/crds/vaultdynamicsecret.yaml + apiVersion: + "apiextensions.k8s.io/v1", kind: + "CustomResourceDefinition", metadata: { + + annotations: { + "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + "controller-gen.kubebuilder.io/version": "v0.13.0" + } + name: "vaultdynamicsecrets.generators.external-secrets.io" + }, spec: { + + group: "generators.external-secrets.io" + names: { + categories: ["vaultdynamicsecret"] + kind: "VaultDynamicSecret" + listKind: "VaultDynamicSecretList" + plural: "vaultdynamicsecrets" + shortNames: ["vaultdynamicsecret"] + singular: "vaultdynamicsecret" + } + scope: "Namespaced" + versions: [{ + name: "v1alpha1" + schema: openAPIV3Schema: { + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + metadata: type: "object" + spec: { + properties: { + controller: { + description: "Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property" + type: "string" + } + method: { + description: "Vault API method to use (GET/POST/other)" + type: "string" + } + parameters: { + description: "Parameters to pass to Vault write (for non-GET methods)" + "x-kubernetes-preserve-unknown-fields": true + } + path: { + description: "Vault path to obtain the dynamic secret from" + type: "string" + } + provider: { + description: "Vault provider common spec" + properties: { + auth: { + description: "Auth configures how secret-manager authenticates with the Vault server." + properties: { + appRole: { + description: "AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource." + properties: { + path: { + default: "approle" + description: "Path where the App Role authentication backend is mounted in Vault, e.g: \"approle\"" + type: "string" + } + roleId: { + description: "RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault." + type: "string" + } + roleRef: { + description: "Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: [ + "path", + "secretRef", + ] + type: "object" + } + cert: { + description: "Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method" + properties: { + clientCert: { + description: "ClientCert is a certificate to authenticate using the Cert Vault authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + iam: { + description: "Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method" + properties: { + externalID: { + description: "AWS External ID set on assumed IAM roles" + type: "string" + } + jwt: { + description: "Specify a service account with IRSA enabled" + properties: serviceAccountRef: { + description: "A reference to a ServiceAccount resource." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + type: "object" + } + path: { + description: "Path where the AWS auth method is enabled in Vault, e.g: \"aws\"" + type: "string" + } + region: { + description: "AWS region" + type: "string" + } + role: { + description: "This is the AWS role to be assumed before talking to vault" + type: "string" + } + secretRef: { + description: "Specify credentials in a Secret object" + properties: { + accessKeyIDSecretRef: { + description: "The AccessKeyID is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + secretAccessKeySecretRef: { + description: "The SecretAccessKey is used for authentication" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + sessionTokenSecretRef: { + description: "The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + type: "object" + } + vaultAwsIamServerID: { + description: "X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws" + type: "string" + } + vaultRole: { + description: "Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine" + type: "string" + } + } + required: ["vaultRole"] + type: "object" + } + jwt: { + description: "Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method" + properties: { + kubernetesServiceAccountToken: { + description: "Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API." + properties: { + audiences: { + description: "Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead" + items: type: "string" + type: "array" + } + expirationSeconds: { + description: "Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes." + format: "int64" + type: "integer" + } + serviceAccountRef: { + description: "Service account field containing the name of a kubernetes ServiceAccount." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: ["serviceAccountRef"] + type: "object" + } + path: { + default: "jwt" + description: "Path where the JWT authentication backend is mounted in Vault, e.g: \"jwt\"" + type: "string" + } + role: { + description: "Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method" + type: "string" + } + secretRef: { + description: "Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + } + required: ["path"] + type: "object" + } + kubernetes: { + description: "Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server." + properties: { + mountPath: { + default: "kubernetes" + description: "Path where the Kubernetes authentication backend is mounted in Vault, e.g: \"kubernetes\"" + type: "string" + } + role: { + description: "A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies." + type: "string" + } + secretRef: { + description: "Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + serviceAccountRef: { + description: "Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead." + properties: { + audiences: { + description: "Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list" + items: type: "string" + type: "array" + } + name: { + description: "The name of the ServiceAccount resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + required: ["name"] + type: "object" + } + } + required: [ + "mountPath", + "role", + ] + type: "object" + } + ldap: { + description: "Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method" + properties: { + path: { + default: "ldap" + description: "Path where the LDAP authentication backend is mounted in Vault, e.g: \"ldap\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a LDAP user name used to authenticate using the LDAP Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + tokenSecretRef: { + description: "TokenSecretRef authenticates with Vault by presenting a token." + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + userPass: { + description: "UserPass authenticates with Vault by passing username/password pair" + properties: { + path: { + default: "user" + description: "Path where the UserPassword authentication backend is mounted in Vault, e.g: \"user\"" + type: "string" + } + secretRef: { + description: "SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method" + properties: { + key: { + description: "The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required." + type: "string" + } + name: { + description: "The name of the Secret resource being referred to." + type: "string" + } + namespace: { + description: "Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent." + type: "string" + } + } + type: "object" + } + username: { + description: "Username is a user name used to authenticate using the UserPass Vault authentication method" + type: "string" + } + } + required: [ + "path", + "username", + ] + type: "object" + } + } + type: "object" + } + caBundle: { + description: "PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection." + format: "byte" + type: "string" + } + caProvider: { + description: "The provider for the CA bundle to use to validate Vault server certificate." + properties: { + key: { + description: "The key where the CA certificate can be found in the Secret or ConfigMap." + type: "string" + } + name: { + description: "The name of the object located at the provider type." + type: "string" + } + namespace: { + description: "The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore." + type: "string" + } + type: { + description: "The type of provider to use such as \"Secret\", or \"ConfigMap\"." + enum: [ + "Secret", + "ConfigMap", + ] + type: "string" + } + } + required: [ + "name", + "type", + ] + type: "object" + } + forwardInconsistent: { + description: "ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header" + type: "boolean" + } + namespace: { + description: "Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: \"ns1\". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces" + type: "string" + } + path: { + description: "Path is the mount path of the Vault KV backend endpoint, e.g: \"secret\". The v2 KV secret engine version specific \"/data\" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path." + type: "string" + } + readYourWrites: { + description: "ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency" + type: "boolean" + } + server: { + description: "Server is the connection address for the Vault server, e.g: \"https://vault.example.com:8200\"." + type: "string" + } + version: { + default: "v2" + description: "Version is the Vault KV secret engine version. This can be either \"v1\" or \"v2\". Version defaults to \"v2\"." + enum: [ + "v1", + "v2", + ] + type: "string" + } + } + required: [ + "auth", + "server", + ] + type: "object" + } + resultType: { + default: "Data" + description: "Result type defines which data is returned from the generator. By default it is the \"data\" section of the Vault API response. When using e.g. /auth/token/create the \"data\" section is empty but the \"auth\" section contains the generated token. Please refer to the vault docs regarding the result data structure." + type: "string" + } + } + required: [ + "path", + "provider", + ] + type: "object" + } + } + type: "object" + } + served: true + storage: true + subresources: status: {} + }] + conversion: { + strategy: "Webhook" + webhook: { + conversionReviewVersions: ["v1"] + clientConfig: service: { + name: "external-secrets-webhook" + namespace: "external-secrets" + path: "/convert" + } + } + } + } +}] +clusterrole: [{ + // Source: external-secrets/templates/rbac.yaml + apiVersion: + "rbac.authorization.k8s.io/v1", kind: + "ClusterRole", metadata: { + + name: "external-secrets-controller" + labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + } + }, rules: [{ + apiGroups: ["external-secrets.io"] + resources: [ + "secretstores", + "clustersecretstores", + "externalsecrets", + "clusterexternalsecrets", + "pushsecrets", + ] + verbs: [ + "get", + "list", + "watch", + ] + }, { + apiGroups: ["external-secrets.io"] + resources: [ + "externalsecrets", + "externalsecrets/status", + "externalsecrets/finalizers", + "secretstores", + "secretstores/status", + "secretstores/finalizers", + "clustersecretstores", + "clustersecretstores/status", + "clustersecretstores/finalizers", + "clusterexternalsecrets", + "clusterexternalsecrets/status", + "clusterexternalsecrets/finalizers", + "pushsecrets", + "pushsecrets/status", + "pushsecrets/finalizers", + ] + verbs: [ + "update", + "patch", + ] + }, { + apiGroups: ["generators.external-secrets.io"] + resources: [ + "acraccesstokens", + "ecrauthorizationtokens", + "fakes", + "gcraccesstokens", + "passwords", + "vaultdynamicsecrets", + ] + verbs: [ + "get", + "list", + "watch", + ] + }, { + apiGroups: [""] + resources: [ + "serviceaccounts", + "namespaces", + ] + verbs: [ + "get", + "list", + "watch", + ] + }, { + apiGroups: [""] + resources: ["configmaps"] + verbs: [ + "get", + "list", + "watch", + ] + }, { + apiGroups: [""] + resources: ["secrets"] + verbs: [ + "get", + "list", + "watch", + "create", + "update", + "delete", + "patch", + ] + }, { + apiGroups: [""] + resources: ["serviceaccounts/token"] + verbs: ["create"] + }, { + apiGroups: [""] + resources: ["events"] + verbs: [ + "create", + "patch", + ] + }, { + apiGroups: ["external-secrets.io"] + resources: ["externalsecrets"] + verbs: [ + "create", + "update", + "delete", + ] + }] +}, { + // Source: external-secrets/templates/rbac.yaml + apiVersion: + "rbac.authorization.k8s.io/v1", kind: + "ClusterRole", metadata: { + + name: "external-secrets-view" + labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + "rbac.authorization.k8s.io/aggregate-to-view": "true" + "rbac.authorization.k8s.io/aggregate-to-edit": "true" + "rbac.authorization.k8s.io/aggregate-to-admin": "true" + } + }, rules: [{ + apiGroups: ["external-secrets.io"] + resources: [ + "externalsecrets", + "secretstores", + "clustersecretstores", + "pushsecrets", + ] + verbs: [ + "get", + "watch", + "list", + ] + }, { + apiGroups: ["generators.external-secrets.io"] + resources: [ + "acraccesstokens", + "ecrauthorizationtokens", + "fakes", + "gcraccesstokens", + "passwords", + "vaultdynamicsecrets", + ] + verbs: [ + "get", + "watch", + "list", + ] + }] +}, { + // Source: external-secrets/templates/rbac.yaml + apiVersion: + "rbac.authorization.k8s.io/v1", kind: + "ClusterRole", metadata: { + + name: "external-secrets-edit" + labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + "rbac.authorization.k8s.io/aggregate-to-edit": "true" + "rbac.authorization.k8s.io/aggregate-to-admin": "true" + } + }, rules: [{ + apiGroups: ["external-secrets.io"] + resources: [ + "externalsecrets", + "secretstores", + "clustersecretstores", + "pushsecrets", + ] + verbs: [ + "create", + "delete", + "deletecollection", + "patch", + "update", + ] + }, { + apiGroups: ["generators.external-secrets.io"] + resources: [ + "acraccesstokens", + "ecrauthorizationtokens", + "fakes", + "gcraccesstokens", + "passwords", + "vaultdynamicsecrets", + ] + verbs: [ + "create", + "delete", + "deletecollection", + "patch", + "update", + ] + }] +}, { + // Source: external-secrets/templates/rbac.yaml + apiVersion: + "rbac.authorization.k8s.io/v1", kind: + "ClusterRole", metadata: { + + name: "external-secrets-servicebindings" + labels: { + "servicebinding.io/controller": "true" + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + } + }, rules: [{ + apiGroups: ["external-secrets.io"] + resources: ["externalsecrets"] + verbs: [ + "get", + "list", + "watch", + ] + }] +}] +clusterrolebinding: [{ + // Source: external-secrets/templates/rbac.yaml + apiVersion: + "rbac.authorization.k8s.io/v1", kind: + "ClusterRoleBinding", metadata: { + + name: "external-secrets-controller" + labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + } + }, roleRef: { + + apiGroup: "rbac.authorization.k8s.io" + kind: "ClusterRole" + name: "external-secrets-controller" + }, subjects: [{ + name: "external-secrets" + namespace: "external-secrets" + kind: "ServiceAccount" + }] +}] +role: [{ + // Source: external-secrets/templates/rbac.yaml + apiVersion: + "rbac.authorization.k8s.io/v1", kind: + "Role", metadata: { + + name: "external-secrets-leaderelection" + namespace: "external-secrets" + labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + } + }, rules: [{ + apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["external-secrets-controller"] + verbs: [ + "get", + "update", + "patch", + ] + }, { + apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] + }, { + apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: [ + "get", + "create", + "update", + "patch", + ] + }] +}] +rolebinding: [{ + // Source: external-secrets/templates/rbac.yaml + apiVersion: + "rbac.authorization.k8s.io/v1", kind: + "RoleBinding", metadata: { + + name: "external-secrets-leaderelection" + namespace: "external-secrets" + labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + } + }, roleRef: { + + apiGroup: "rbac.authorization.k8s.io" + kind: "Role" + name: "external-secrets-leaderelection" + }, subjects: [{ + kind: "ServiceAccount" + name: "external-secrets" + namespace: "external-secrets" + }] +}] +service: [{ + // Source: external-secrets/templates/webhook-service.yaml + apiVersion: + "v1", kind: + "Service", metadata: { + + name: "external-secrets-webhook" + namespace: "external-secrets" + labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets-webhook" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + "external-secrets.io/component": "webhook" + } + }, spec: { + + type: "ClusterIP" + ports: [{ + port: 443 + targetPort: 10250 + protocol: "TCP" + name: "webhook" + }] + selector: { + "app.kubernetes.io/name": "external-secrets-webhook" + "app.kubernetes.io/instance": "external-secrets" + } + } +}] +deployment: [{ + // Source: external-secrets/templates/deployment.yaml + apiVersion: + "apps/v1", kind: + "Deployment", metadata: { + + name: "external-secrets" + namespace: "external-secrets" + labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + } + }, spec: { + + replicas: 1 + revisionHistoryLimit: 10 + selector: matchLabels: { + "app.kubernetes.io/name": "external-secrets" + "app.kubernetes.io/instance": "external-secrets" + } + template: { + metadata: labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + } + spec: { + serviceAccountName: "external-secrets" + automountServiceAccountToken: true + hostNetwork: false + containers: [{ + name: "external-secrets" + securityContext: { + allowPrivilegeEscalation: false + capabilities: drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: type: "RuntimeDefault" + } + image: "ghcr.io/external-secrets/external-secrets:v0.9.5" + imagePullPolicy: "IfNotPresent" + args: ["--concurrent=1"] + ports: [{ + containerPort: 8080 + protocol: "TCP" + name: "metrics" + }] + }] + } + } + } +}, { + // Source: external-secrets/templates/webhook-deployment.yaml + apiVersion: + "apps/v1", kind: + "Deployment", metadata: { + + name: "external-secrets-webhook" + namespace: "external-secrets" + labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets-webhook" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + } + }, spec: { + + replicas: 1 + revisionHistoryLimit: 10 + selector: matchLabels: { + "app.kubernetes.io/name": "external-secrets-webhook" + "app.kubernetes.io/instance": "external-secrets" + } + template: { + metadata: labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets-webhook" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + } + spec: { + hostNetwork: false + serviceAccountName: "external-secrets-webhook" + automountServiceAccountToken: true + containers: [{ + name: "webhook" + securityContext: { + allowPrivilegeEscalation: false + capabilities: drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: type: "RuntimeDefault" + } + image: "ghcr.io/external-secrets/external-secrets:v0.9.5" + imagePullPolicy: "IfNotPresent" + args: [ + "webhook", + "--port=10250", + "--dns-name=external-secrets-webhook.external-secrets.svc", + "--cert-dir=/tmp/certs", + "--check-interval=5m", + "--metrics-addr=:8080", + "--healthz-addr=:8081", + ] + ports: [{ + containerPort: 8080 + protocol: "TCP" + name: "metrics" + }, { + containerPort: 10250 + protocol: "TCP" + name: "webhook" + }] + readinessProbe: { + httpGet: { + port: 8081 + path: "/readyz" + } + initialDelaySeconds: 20 + periodSeconds: 5 + } + volumeMounts: [{ + name: "certs" + mountPath: "/tmp/certs" + readOnly: true + }] + }] + volumes: [{ + name: "certs" + secret: secretName: "external-secrets-webhook" + }] + } + } + } +}] +certificate: [{ + // Source: external-secrets/templates/webhook-certificate.yaml + apiVersion: + "cert-manager.io/v1", kind: + "Certificate", metadata: { + + name: "external-secrets-webhook" + namespace: "external-secrets" + labels: { + "helm.sh/chart": "external-secrets-0.9.5" + "app.kubernetes.io/name": "external-secrets-webhook" + "app.kubernetes.io/instance": "external-secrets" + "app.kubernetes.io/version": "v0.9.5" + "app.kubernetes.io/managed-by": "Helm" + "external-secrets.io/component": "webhook" + } + }, spec: { + + commonName: "external-secrets-webhook" + dnsNames: [ + "external-secrets-webhook", + "external-secrets-webhook.external-secrets", + "external-secrets-webhook.external-secrets.svc", + ] + issuerRef: { + group: "cert-manager.io" + kind: "Issuer" + name: "my-issuer" + } + secretName: "external-secrets-webhook" + } +}] +validatingwebhookconfiguration: [{ + // Source: external-secrets/templates/validatingwebhook.yaml + apiVersion: + "admissionregistration.k8s.io/v1", kind: + "ValidatingWebhookConfiguration", metadata: { + + name: "secretstore-validate" + labels: "external-secrets.io/component": "webhook" + annotations: "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + }, webhooks: [{ + name: "validate.secretstore.external-secrets.io" + rules: [{ + apiGroups: ["external-secrets.io"] + apiVersions: ["v1beta1"] + operations: ["CREATE", "UPDATE", "DELETE"] + resources: ["secretstores"] + scope: "Namespaced" + }] + clientConfig: service: { + namespace: "external-secrets" + name: "external-secrets-webhook" + path: "/validate-external-secrets-io-v1beta1-secretstore" + } + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: "None" + timeoutSeconds: 5 + }, { + name: "validate.clustersecretstore.external-secrets.io" + rules: [{ + apiGroups: ["external-secrets.io"] + apiVersions: ["v1beta1"] + operations: ["CREATE", "UPDATE", "DELETE"] + resources: ["clustersecretstores"] + scope: "Cluster" + }] + clientConfig: service: { + namespace: "external-secrets" + name: "external-secrets-webhook" + path: "/validate-external-secrets-io-v1beta1-clustersecretstore" + } + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: "None" + timeoutSeconds: 5 + }] +}, { + // Source: external-secrets/templates/validatingwebhook.yaml + apiVersion: + "admissionregistration.k8s.io/v1", kind: + "ValidatingWebhookConfiguration", metadata: { + + name: "externalsecret-validate" + labels: "external-secrets.io/component": "webhook" + annotations: "cert-manager.io/inject-ca-from": "external-secrets/external-secrets-webhook" + }, webhooks: [{ + name: "validate.externalsecret.external-secrets.io" + rules: [{ + apiGroups: ["external-secrets.io"] + apiVersions: ["v1beta1"] + operations: ["CREATE", "UPDATE", "DELETE"] + resources: ["externalsecrets"] + scope: "Namespaced" + }] + clientConfig: service: { + namespace: "external-secrets" + name: "external-secrets-webhook" + path: "/validate-external-secrets-io-v1beta1-externalsecret" + } + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: "None" + timeoutSeconds: 5 + failurePolicy: "Fail" + }] +}] diff --git a/k8s/amour/external_secrets/list.cue b/k8s/amour/external_secrets/list.cue new file mode 100644 index 000000000..60d7cd3a6 --- /dev/null +++ b/k8s/amour/external_secrets/list.cue @@ -0,0 +1,42 @@ +package external_secrets + +import ( + "list" + + "k8s.io/api/core/v1" + "github.com/uhthomas/automata/k8s/amour/external_secrets/webhook" +) + +#Name: "external-secrets" +#Namespace: #Name +#Version: "0.9.5" + +#List: v1.#List & { + apiVersion: "v1" + kind: "List" + items: [...{ + metadata: { + name: string | *#Name + namespace: #Namespace + labels: { + "app.kubernetes.io/name": string | *#Name + "app.kubernetes.io/version": #Version + } + } + }] +} + +#List: items: list.Concat(_items) + +_items: [ + webhook.#List.items, + #ClusterRoleBindingList.items, + #ClusterRoleList.items, + #CustomResourceDefinitionList.items, + #DeploymentList.items, + #NamespaceList.items, + #RoleBindingList.items, + #RoleList.items, + #ServiceAccountList.items, + +] diff --git a/k8s/amour/onepassword_operator/namespace_list.cue b/k8s/amour/external_secrets/namespace_list.cue similarity index 87% rename from k8s/amour/onepassword_operator/namespace_list.cue rename to k8s/amour/external_secrets/namespace_list.cue index 32890f07d..74aa420c1 100644 --- a/k8s/amour/onepassword_operator/namespace_list.cue +++ b/k8s/amour/external_secrets/namespace_list.cue @@ -1,4 +1,4 @@ -package onepassword_operator +package external_secrets import "k8s.io/api/core/v1" diff --git a/k8s/amour/external_secrets/role_binding_list.cue b/k8s/amour/external_secrets/role_binding_list.cue new file mode 100644 index 000000000..4b4ed1423 --- /dev/null +++ b/k8s/amour/external_secrets/role_binding_list.cue @@ -0,0 +1,25 @@ +package external_secrets + +import rbacv1 "k8s.io/api/rbac/v1" + +#RoleBindingList: rbacv1.#RoleBindingList & { + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "RoleBindingList" + items: [...{ + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "RoleBinding" + }] +} + +#RoleBindingList: items: [{ + metadata: name: "external-secrets-leaderelection" + roleRef: { + apiGroup: rbacv1.#GroupName + kind: "Role" + name: "external-secrets-leaderelection" + } + subjects: [{ + name: "external-secrets" + kind: rbacv1.#ServiceAccountKind + }] +}] diff --git a/k8s/amour/external_secrets/role_list.cue b/k8s/amour/external_secrets/role_list.cue new file mode 100644 index 000000000..60b38e1b4 --- /dev/null +++ b/k8s/amour/external_secrets/role_list.cue @@ -0,0 +1,30 @@ +package external_secrets + +import rbacv1 "k8s.io/api/rbac/v1" + +#RoleList: rbacv1.#RoleList & { + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "RoleList" + items: [...{ + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "Role" + }] +} + +#RoleList: items: [{ + metadata: name: "external-secrets-leaderelection" + rules: [{ + apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["external-secrets-controller"] + verbs: ["get", "update", "patch"] + }, { + apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] + }, { + apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "create", "update", "patch"] + }] +}] diff --git a/k8s/amour/onepassword_operator/service_account_list.cue b/k8s/amour/external_secrets/service_account_list.cue similarity index 88% rename from k8s/amour/onepassword_operator/service_account_list.cue rename to k8s/amour/external_secrets/service_account_list.cue index 2aa8cf541..a0afceac2 100644 --- a/k8s/amour/onepassword_operator/service_account_list.cue +++ b/k8s/amour/external_secrets/service_account_list.cue @@ -1,4 +1,4 @@ -package onepassword_operator +package external_secrets import "k8s.io/api/core/v1" diff --git a/k8s/amour/external_secrets/webhook/BUILD.bazel b/k8s/amour/external_secrets/webhook/BUILD.bazel new file mode 100644 index 000000000..344a50964 --- /dev/null +++ b/k8s/amour/external_secrets/webhook/BUILD.bazel @@ -0,0 +1,22 @@ +load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library") + +cue_library( + name = "cue_webhook_library", + srcs = [ + "certificate_list.cue", + "deployment_list.cue", + "issuer_list.cue", + "list.cue", + "service_account_list.cue", + "service_list.cue", + "validating_webhook_configuration_list.cue", + ], + importpath = "github.com/uhthomas/automata/k8s/amour/external_secrets/webhook", + visibility = ["//visibility:public"], + deps = [ + "//cue.mod/gen/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/api/admissionregistration/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/api/apps/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library", + ], +) diff --git a/k8s/amour/external_secrets/webhook/certificate_list.cue b/k8s/amour/external_secrets/webhook/certificate_list.cue new file mode 100644 index 000000000..085e26748 --- /dev/null +++ b/k8s/amour/external_secrets/webhook/certificate_list.cue @@ -0,0 +1,27 @@ +package webhook + +import certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + +#CertificateList: certmanagerv1.#CertificateList & { + apiVersion: "cert-manager.io/v1" + kind: "CertificateList" + items: [...{ + apiVersion: "cert-manager.io/v1" + kind: "Certificate" + }] +} + +#CertificateList: items: [{ + spec: { + dnsNames: [ + #Name, + "\(#Name).\(#Namespace)", + "\(#Name).\(#Namespace).svc", + ] + issuerRef: { + kind: certmanagerv1.#IssuerKind + name: #Name + } + secretName: #Name + } +}] diff --git a/k8s/amour/onepassword_secrets_injector/deployment_list.cue b/k8s/amour/external_secrets/webhook/deployment_list.cue similarity index 57% rename from k8s/amour/onepassword_secrets_injector/deployment_list.cue rename to k8s/amour/external_secrets/webhook/deployment_list.cue index 714792895..ccb13556b 100644 --- a/k8s/amour/onepassword_secrets_injector/deployment_list.cue +++ b/k8s/amour/external_secrets/webhook/deployment_list.cue @@ -1,4 +1,4 @@ -package onepassword_secrets_injector +package webhook import ( appsv1 "k8s.io/api/apps/v1" @@ -20,34 +20,39 @@ import ( template: { metadata: labels: "app.kubernetes.io/name": #Name spec: { - // TODO: Remove. - // - // https://github.com/1Password/kubernetes-secrets-injector/pull/46 volumes: [{ - name: "tmp" - emptyDir: {} + name: "certs" + secret: secretName: #Name }] containers: [{ - name: #Name - image: "1password/kubernetes-secrets-injector:1.0.2@sha256:5884757f787937e1fad1efa5514ecdafe8e0edcd3c72d0f3fd6e7fd52d196274" + name: "webhook" + image: "ghcr.io/external-secrets/external-secrets:v0.9.5" args: [ - "-service-name=\(#Name)", - "-logtostderr", - "-v=4", + "webhook", + "--port=10250", + "--dns-name=\(#Name).\(#Namespace).svc", + "--cert-dir=/var/webhook-certs", + "--check-interval=5m", + "--metrics-addr=:8080", + "--healthz-addr=:8081", + "--lookahead-interval=72h", ] - env: [{ - name: "POD_NAMESPACE" - valueFrom: fieldRef: fieldPath: "metadata.namespace" - }] ports: [{ - name: "https" - containerPort: 8443 + name: "http-metrics" + containerPort: 8080 + }, { + name: "webhook" + containerPort: 10250 }] volumeMounts: [{ - name: "tmp" - mountPath: "/tmp" + name: "certs" + mountPath: "/var/webhook-certs" + readOnly: true }] - lifecycle: preStop: exec: command: ["/bin/sh", "-c", "/prestop.sh"] + readinessProbe: httpGet: { + port: 8081 + path: "/readyz" + } imagePullPolicy: v1.#PullIfNotPresent securityContext: { capabilities: drop: ["ALL"] diff --git a/k8s/amour/external_secrets/webhook/issuer_list.cue b/k8s/amour/external_secrets/webhook/issuer_list.cue new file mode 100644 index 000000000..06191ceed --- /dev/null +++ b/k8s/amour/external_secrets/webhook/issuer_list.cue @@ -0,0 +1,14 @@ +package webhook + +import certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + +#IssuerList: certmanagerv1.#IssuerList & { + apiVersion: "cert-manager.io/v1" + kind: "IssuerList" + items: [...{ + apiVersion: "cert-manager.io/v1" + kind: "Issuer" + }] +} + +#IssuerList: items: [{spec: selfSigned: {}}] diff --git a/k8s/amour/onepassword_secrets_injector/list.cue b/k8s/amour/external_secrets/webhook/list.cue similarity index 63% rename from k8s/amour/onepassword_secrets_injector/list.cue rename to k8s/amour/external_secrets/webhook/list.cue index eefeb47ed..a99aa9457 100644 --- a/k8s/amour/onepassword_secrets_injector/list.cue +++ b/k8s/amour/external_secrets/webhook/list.cue @@ -1,4 +1,4 @@ -package onepassword_secrets_injector +package webhook import ( "list" @@ -6,9 +6,9 @@ import ( "k8s.io/api/core/v1" ) -#Name: "onepassword-secrets-injector" -#Namespace: #Name -#Version: "1.0.2" +#Name: "external-secrets-webhook" +#Namespace: "external-secrets" +#Version: "0.9.5" #List: v1.#List & { apiVersion: "v1" @@ -28,11 +28,10 @@ import ( #List: items: list.Concat(_items) _items: [ - #CiliumNetworkPolicyList.items, - #ClusterRoleBindingList.items, - #ClusterRoleList.items, + #CertificateList.items, #DeploymentList.items, - #NamespaceList.items, + #IssuerList.items, #ServiceAccountList.items, #ServiceList.items, + #ValidatingWebhookConfigurationList.items, ] diff --git a/k8s/amour/onepassword_secrets_injector/service_account_list.cue b/k8s/amour/external_secrets/webhook/service_account_list.cue similarity index 86% rename from k8s/amour/onepassword_secrets_injector/service_account_list.cue rename to k8s/amour/external_secrets/webhook/service_account_list.cue index d41729412..3fcb183f2 100644 --- a/k8s/amour/onepassword_secrets_injector/service_account_list.cue +++ b/k8s/amour/external_secrets/webhook/service_account_list.cue @@ -1,4 +1,4 @@ -package onepassword_secrets_injector +package webhook import "k8s.io/api/core/v1" diff --git a/k8s/amour/onepassword_secrets_injector/service_list.cue b/k8s/amour/external_secrets/webhook/service_list.cue similarity index 77% rename from k8s/amour/onepassword_secrets_injector/service_list.cue rename to k8s/amour/external_secrets/webhook/service_list.cue index c3056f90b..bb6f49071 100644 --- a/k8s/amour/onepassword_secrets_injector/service_list.cue +++ b/k8s/amour/external_secrets/webhook/service_list.cue @@ -1,4 +1,4 @@ -package onepassword_secrets_injector +package webhook import "k8s.io/api/core/v1" @@ -14,9 +14,9 @@ import "k8s.io/api/core/v1" #ServiceList: items: [{ spec: { ports: [{ - name: "https" + name: "webhook" port: 443 - targetPort: "https" + targetPort: "webhook" }] selector: "app.kubernetes.io/name": #Name } diff --git a/k8s/amour/external_secrets/webhook/validating_webhook_configuration_list.cue b/k8s/amour/external_secrets/webhook/validating_webhook_configuration_list.cue new file mode 100644 index 000000000..ffb2036e6 --- /dev/null +++ b/k8s/amour/external_secrets/webhook/validating_webhook_configuration_list.cue @@ -0,0 +1,72 @@ +package webhook + +import ( + certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" +) + +#ValidatingWebhookConfigurationList: admissionregistrationv1.#ValidatingWebhookConfigurationList & { + apiVersion: "admissionregistration.k8s.io/v1" + kind: "ValidatingWebhookConfigurationList" + items: [...{ + apiVersion: "admissionregistration.k8s.io/v1" + kind: "ValidatingWebhookConfiguration" + }] +} + +#ValidatingWebhookConfigurationList: items: [{ + metadata: annotations: (certmanagerv1.#WantInjectAnnotation): "\(#Namespace)/\(#Name)" + webhooks: [{ + name: "validate.secretstore.external-secrets.io" + clientConfig: service: { + namespace: #Namespace + name: #Name + path: "/validate-external-secrets-io-v1beta1-secretstore" + } + rules: [{ + apiGroups: ["external-secrets.io"] + apiVersions: ["v1beta1"] + operations: ["CREATE", "UPDATE", "DELETE"] + resources: ["secretstores"] + scope: admissionregistrationv1.#NamespacedScope + }] + sideEffects: admissionregistrationv1.#SideEffectClassNone + timeoutSeconds: 5 + admissionReviewVersions: ["v1", "v1beta1"] + }, { + name: "validate.clustersecretstore.external-secrets.io" + clientConfig: service: { + namespace: #Namespace + name: #Name + path: "/validate-external-secrets-io-v1beta1-clustersecretstore" + } + rules: [{ + apiGroups: ["external-secrets.io"] + apiVersions: ["v1beta1"] + operations: ["CREATE", "UPDATE", "DELETE"] + resources: ["clustersecretstores"] + scope: admissionregistrationv1.#ClusterScope + }] + sideEffects: admissionregistrationv1.#SideEffectClassNone + timeoutSeconds: 5 + admissionReviewVersions: ["v1", "v1beta1"] + }, { + name: "validate.externalsecret.external-secrets.io" + clientConfig: service: { + namespace: #Namespace + name: #Name + path: "/validate-external-secrets-io-v1beta1-externalsecret" + } + rules: [{ + apiGroups: ["external-secrets.io"] + apiVersions: ["v1beta1"] + operations: ["CREATE", "UPDATE", "DELETE"] + resources: ["externalsecrets"] + scope: admissionregistrationv1.#NamespacedScope + }] + failurePolicy: admissionregistrationv1.#Fail + sideEffects: admissionregistrationv1.#SideEffectClassNone + timeoutSeconds: 5 + admissionReviewVersions: ["v1", "v1beta1"] + }] +}] diff --git a/k8s/amour/grafana/BUILD.bazel b/k8s/amour/grafana/BUILD.bazel new file mode 100644 index 000000000..a382777a9 --- /dev/null +++ b/k8s/amour/grafana/BUILD.bazel @@ -0,0 +1,23 @@ +load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library") + +cue_library( + name = "cue_grafana_library", + srcs = [ + "config_map_list.cue", + "external_secret_list.cue", + "list.cue", + "namespace_list.cue", + "service_account_list.cue", + "service_list.cue", + "stateful_set_list.cue", + "vm_service_scrape_list.cue", + ], + importpath = "github.com/uhthomas/automata/k8s/amour/grafana", + visibility = ["//visibility:public"], + deps = [ + "//cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1:cue_v1beta1_library", + "//cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1:cue_v1beta1_library", + "//cue.mod/gen/k8s.io/api/apps/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library", + ], +) diff --git a/k8s/amour/grafana/README.md b/k8s/amour/grafana/README.md new file mode 100644 index 000000000..c88416811 --- /dev/null +++ b/k8s/amour/grafana/README.md @@ -0,0 +1,5 @@ +# Grafana + +[https://grafana.com/grafana/](https://grafana.com/grafana/) + +[https://github.com/grafana/grafana](https://github.com/grafana/grafana) diff --git a/k8s/amour/grafana/config_map_list.cue b/k8s/amour/grafana/config_map_list.cue new file mode 100644 index 000000000..bc32fb31f --- /dev/null +++ b/k8s/amour/grafana/config_map_list.cue @@ -0,0 +1,70 @@ +package grafana + +import ( + "encoding/yaml" + + "k8s.io/api/core/v1" +) + +#ConfigMapList: v1.#ConfigMapList & { + apiVersion: "v1" + kind: "ConfigMapList" + items: [...{ + apiVersion: "v1" + kind: "ConfigMap" + }] +} + +#ConfigMapList: items: [{ + data: { + "datasources.yaml": yaml.Marshal({ + apiVersion: 1 + datasources: [{ + name: "VictoriaMetrics" + type: "prometheus" + access: "proxy" + url: "http://vmselect-vm.vm.svc:8481/select/0/prometheus" + isDefault: true + }, { + name: "Alertmanager" + type: "alertmanager" + access: "proxy" + url: "http://vmalertmanager-vm.vm.svc:9093" + implementation: "prometheus" + handleGrafanaManagedAlerts: true + }, { + name: "Loki" + type: "loki" + access: "proxy" + url: "http://loki-gateway.loki.svc" + }] + deleteDatasources: [{name: "VictoriaMetrics 4697"}] + }) + "grafana.ini": """ + [analytics] + check_for_updates = true + + [grafana_net] + url = https://grafana.net + + [log] + mode = console + + [paths] + data = /var/lib/grafana/ + logs = /var/log/grafana + plugins = /var/lib/grafana/plugins + provisioning = /etc/grafana/provisioning + + [database] + path = /var/lib/grafana/database/grafana.db + + [auth.anonymous] + enabled = true + org_role = Admin + + [log] + mode = console + """ + } +}] diff --git a/k8s/amour/grafana/external_secret_list.cue b/k8s/amour/grafana/external_secret_list.cue new file mode 100644 index 000000000..8468928f1 --- /dev/null +++ b/k8s/amour/grafana/external_secret_list.cue @@ -0,0 +1,36 @@ +package grafana + +import externalsecretsv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1" + +#ExternalSecretList: externalsecretsv1beta1.#ExternalSecretList & { + apiVersion: "external-secrets.io/v1beta1" + kind: "ExternalSecretList" + items: [...{ + apiVersion: "external-secrets.io/v1beta1" + kind: "ExternalSecret" + }] +} + +#ExternalSecretList: items: [{ + spec: { + secretStoreRef: { + name: "onepassword" + kind: "ClusterSecretStore" + } + target: template: metadata: { + annotations: {} + labels: {} + } + dataFrom: [{ + extract: { + key: "grafana" + property: "username" + } + }, { + extract: { + key: "grafana" + property: "password" + } + }] + } +}] diff --git a/k8s/amour/grafana/list.cue b/k8s/amour/grafana/list.cue new file mode 100644 index 000000000..3fa1c1dee --- /dev/null +++ b/k8s/amour/grafana/list.cue @@ -0,0 +1,39 @@ +package grafana + +import ( + "list" + + "k8s.io/api/core/v1" +) + +#Name: "grafana" +#Namespace: #Name + +// renovate: datasource=github-releases depName=grafana/grafana extractVersion=^v(?.*)$ +#Version: "10.0.2" + +#List: v1.#List & { + apiVersion: "v1" + kind: "List" + items: [...{ + metadata: { + name: #Name + namespace: #Namespace + labels: { + "app.kubernetes.io/name": #Name + "app.kubernetes.io/version": #Version + } + } + }] +} + +#List: items: list.Concat(_items) + +_items: [ + #ConfigMapList.items, + #ExternalSecretList.items, + #NamespaceList.items, + #ServiceList.items, + #StatefulSetList.items, + #VMServiceScrapeList.items, +] diff --git a/k8s/amour/onepassword_secrets_injector/namespace_list.cue b/k8s/amour/grafana/namespace_list.cue similarity index 84% rename from k8s/amour/onepassword_secrets_injector/namespace_list.cue rename to k8s/amour/grafana/namespace_list.cue index 0a87d8c35..11aa098cf 100644 --- a/k8s/amour/onepassword_secrets_injector/namespace_list.cue +++ b/k8s/amour/grafana/namespace_list.cue @@ -1,4 +1,4 @@ -package onepassword_secrets_injector +package grafana import "k8s.io/api/core/v1" diff --git a/k8s/amour/grafana/service_account_list.cue b/k8s/amour/grafana/service_account_list.cue new file mode 100644 index 000000000..dd9274137 --- /dev/null +++ b/k8s/amour/grafana/service_account_list.cue @@ -0,0 +1,14 @@ +package grafana + +import "k8s.io/api/core/v1" + +#ServiceAccountList: v1.#ServiceAccountList & { + apiVersion: "v1" + kind: "ServiceAccountList" + items: [...{ + apiVersion: "v1" + kind: "ServiceAccount" + }] +} + +#ServiceAccountList: items: [{}] diff --git a/k8s/amour/grafana/service_list.cue b/k8s/amour/grafana/service_list.cue new file mode 100644 index 000000000..3a8655687 --- /dev/null +++ b/k8s/amour/grafana/service_list.cue @@ -0,0 +1,26 @@ +package grafana + +import "k8s.io/api/core/v1" + +#ServiceList: v1.#ServiceList & { + apiVersion: "v1" + kind: "ServiceList" + items: [...{ + apiVersion: "v1" + kind: "Service" + }] +} + +#ServiceList: items: [{ + metadata: annotations: "tailscale.com/hostname": "\(#Name)-unwind-k8s" + spec: { + ports: [{ + name: "http" + port: 80 + targetPort: "http" + }] + selector: "app.kubernetes.io/name": #Name + type: v1.#ServiceTypeLoadBalancer + loadBalancerClass: "tailscale" + } +}] diff --git a/k8s/amour/grafana/stateful_set_list.cue b/k8s/amour/grafana/stateful_set_list.cue new file mode 100644 index 000000000..45b79bc88 --- /dev/null +++ b/k8s/amour/grafana/stateful_set_list.cue @@ -0,0 +1,99 @@ +package grafana + +import ( + appsv1 "k8s.io/api/apps/v1" + "k8s.io/api/core/v1" +) + +#StatefulSetList: appsv1.#StatefulSetList & { + apiVersion: "apps/v1" + kind: "StatefulSetList" + items: [...{ + apiVersion: "apps/v1" + kind: "StatefulSet" + }] +} + +#StatefulSetList: items: [{ + spec: { + selector: matchLabels: "app.kubernetes.io/name": #Name + template: { + metadata: labels: "app.kubernetes.io/name": #Name + spec: { + volumes: [{ + name: "config" + configMap: name: "grafana" + }] + containers: [{ + name: "grafana" + image: "grafana/grafana:\(#Version)" + ports: [{ + name: "http" + containerPort: 3000 + }] + env: [{ + name: "GF_SECURITY_ADMIN_USER" + valueFrom: secretKeyRef: { + name: "grafana" + key: "username" + } + }, { + name: "GF_SECURITY_ADMIN_PASSWORD" + valueFrom: secretKeyRef: { + name: "grafana" + key: "password" + } + }] + volumeMounts: [{ + name: "config" + mountPath: "/etc/grafana/grafana.ini" + subPath: "grafana.ini" + }, { + name: "config" + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: "datasources.yaml" + }, { + name: "data" + mountPath: "/var/lib/grafana" + }] + + let probe = { + httpGet: { + path: "/api/health" + port: "http" + } + } + + livenessProbe: probe + readinessProbe: probe & { + initialDelaySeconds: 30 + failureThreshold: 5 + } + + imagePullPolicy: v1.#PullIfNotPresent + securityContext: { + capabilities: drop: ["ALL"] + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + } + }] + securityContext: { + runAsUser: 1000 + runAsGroup: 3000 + runAsNonRoot: true + fsGroup: 2000 + seccompProfile: type: v1.#SeccompProfileTypeRuntimeDefault + } + } + } + volumeClaimTemplates: [{ + metadata: name: "data" + spec: { + accessModes: [v1.#ReadWriteOnce] + storageClassName: "rook-ceph-nvme" + resources: requests: (v1.#ResourceStorage): "1Gi" + } + }] + serviceName: #Name + } +}] diff --git a/k8s/amour/grafana/vm_service_scrape_list.cue b/k8s/amour/grafana/vm_service_scrape_list.cue new file mode 100644 index 000000000..b288c2a67 --- /dev/null +++ b/k8s/amour/grafana/vm_service_scrape_list.cue @@ -0,0 +1,19 @@ +package grafana + +import victoriametricsv1beta1 "github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1" + +#VMServiceScrapeList: victoriametricsv1beta1.#VMServiceScrapeList & { + apiVersion: "operator.victoriametrics.com/v1beta1" + kind: "VMServiceScrapeList" + items: [...{ + apiVersion: "operator.victoriametrics.com/v1beta1" + kind: "VMServiceScrape" + }] +} + +#VMServiceScrapeList: items: [{ + spec: { + endpoints: [{port: "http"}] + selector: matchLabels: "app.kubernetes.io/name": #Name + } +}] diff --git a/k8s/amour/kube_system/BUILD.bazel b/k8s/amour/kube_system/BUILD.bazel index d09ce5303..e74056712 100644 --- a/k8s/amour/kube_system/BUILD.bazel +++ b/k8s/amour/kube_system/BUILD.bazel @@ -5,6 +5,7 @@ cue_library( srcs = [ "list.cue", "namespace_list.cue", + "vm_service_scrape_list.cue", ], importpath = "github.com/uhthomas/automata/k8s/amour/kube_system", visibility = ["//visibility:public"], diff --git a/k8s/amour/kube_system/list.cue b/k8s/amour/kube_system/list.cue index 32fa3a310..665a9aab5 100644 --- a/k8s/amour/kube_system/list.cue +++ b/k8s/amour/kube_system/list.cue @@ -19,5 +19,6 @@ import ( _items: [ #NamespaceList.items, + #VMServiceScrapeList.items, metrics_server.#List.items, ] diff --git a/k8s/amour/kube_system/vm_service_scrape_list.cue b/k8s/amour/kube_system/vm_service_scrape_list.cue new file mode 100644 index 000000000..bb017d5ad --- /dev/null +++ b/k8s/amour/kube_system/vm_service_scrape_list.cue @@ -0,0 +1,26 @@ +package kube_system + +import "k8s.io/api/core/v1" + +// TODO: Use generated types. +// +// https://github.com/cue-lang/cue/issues/2466 +#VMServiceScrapeList: v1.#List & { + apiVersion: "operator.victoriametrics.com/v1beta1" + kind: "VMServiceScrapeList" + items: [...{ + apiVersion: "operator.victoriametrics.com/v1beta1" + kind: "VMServiceScrape" + }] +} + +#VMServiceScrapeList: items: [{ + metadata: name: "coredns" + spec: { + endpoints: [{ + port: "metrics" + bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token" + }] + selector: matchLabels: "kubernetes.io/name": "CoreDNS" + } +}] diff --git a/k8s/amour/list.cue b/k8s/amour/list.cue index ee3d68e2b..2edf8e48c 100644 --- a/k8s/amour/list.cue +++ b/k8s/amour/list.cue @@ -5,6 +5,8 @@ import ( "github.com/uhthomas/automata/k8s/amour/cert_manager_csi_driver" "github.com/uhthomas/automata/k8s/amour/cert_manager" "github.com/uhthomas/automata/k8s/amour/cilium" + "github.com/uhthomas/automata/k8s/amour/external_secrets" + "github.com/uhthomas/automata/k8s/amour/grafana" "github.com/uhthomas/automata/k8s/amour/intel_gpu_plugin" "github.com/uhthomas/automata/k8s/amour/kube_state_metrics" "github.com/uhthomas/automata/k8s/amour/kube_system" @@ -12,8 +14,8 @@ import ( "github.com/uhthomas/automata/k8s/amour/node_feature_discovery" "github.com/uhthomas/automata/k8s/amour/node_problem_detector" "github.com/uhthomas/automata/k8s/amour/onepassword_connect" - "github.com/uhthomas/automata/k8s/amour/onepassword_operator" "github.com/uhthomas/automata/k8s/amour/rook_ceph" + "github.com/uhthomas/automata/k8s/amour/snapshot_controller" "github.com/uhthomas/automata/k8s/amour/thomas" "github.com/uhthomas/automata/k8s/amour/vm_operator" "github.com/uhthomas/automata/k8s/amour/vm" @@ -42,10 +44,13 @@ _#KindWeight: { _items: [ amour.#ApplySetList.items, + amour.#ClusterSecretStoreList.items, amour.#CustomResourceDefinitionList.items, cert_manager_csi_driver.#List.items, cert_manager.#List.items, cilium.#List.items, + external_secrets.#List.items, + grafana.#List.items, intel_gpu_plugin.#List.items, kube_state_metrics.#List.items, kube_system.#List.items, @@ -53,8 +58,8 @@ _items: [ node_feature_discovery.#List.items, node_problem_detector.#List.items, onepassword_connect.#List.items, - onepassword_operator.#List.items, rook_ceph.#List.items, + snapshot_controller.#List.items, thomas.#List.items, vm_operator.#List.items, vm.#List.items, diff --git a/k8s/amour/onepassword_connect/secret_list.cue b/k8s/amour/onepassword_connect/secret_list.cue index af0f0a316..cab3fa220 100644 --- a/k8s/amour/onepassword_connect/secret_list.cue +++ b/k8s/amour/onepassword_connect/secret_list.cue @@ -11,4 +11,8 @@ import "k8s.io/api/core/v1" }] } -#SecretList: items: [{metadata: name: "onepassword-credentials"}] +#SecretList: items: [{ + metadata: name: "onepassword-credentials" +}, { + metadata: name: "onepassword-connect-token" +}] diff --git a/k8s/amour/onepassword_operator/README.md b/k8s/amour/onepassword_operator/README.md deleted file mode 100644 index f46923b99..000000000 --- a/k8s/amour/onepassword_operator/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# 1Password Operator - -[https://github.com/1Password/onepassword-operator](https://github.com/1Password/onepassword-operator) diff --git a/k8s/amour/onepassword_operator/cilium_network_policy_list.cue b/k8s/amour/onepassword_operator/cilium_network_policy_list.cue deleted file mode 100644 index 30686f8fb..000000000 --- a/k8s/amour/onepassword_operator/cilium_network_policy_list.cue +++ /dev/null @@ -1,52 +0,0 @@ -package onepassword_operator - -import ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" - -#CiliumNetworkPolicyList: ciliumv2.#CiliumNetworkPolicyList & { - apiVersion: "cilium.io/v2" - kind: "CiliumNetworkPolicyList" - items: [...{ - apiVersion: "cilium.io/v2" - kind: "CiliumNetworkPolicy" - }] -} - -#CiliumNetworkPolicyList: items: [{ - spec: { - endpointSelector: {} - ingress: [{}] - // ingress: [{ - // fromEntities: ["host"] - // toPorts: [{ports: [{port: "https"}]}] - // }] - // egress: [{ - // toEntities: ["host"] - // toPorts: [{ports: [{port: "https"}]}] - // }] - // egress: [{ - // toEndpoints: [{ - // matchLabels: { - // "io.kubernetes.pod.namespace": "kube-system" - // "k8s-app": "kube-dns" - // } - // }] - // toPorts: [{ - // ports: [{ - // port: "53" - // protocol: "UDP" - // }] - // rules: dns: [{ - // matchPattern: "*" - // }] - // }] - // }, { - // toServices: [{ - // k8sService: { - // serviceName: "onepassword-connect" - // namespace: "onepassword-connect" - // } - // }] - // toPorts: [{ports: [{port: "http"}]}] - // }] - } -}] diff --git a/k8s/amour/onepassword_operator/cluster_role_list.cue b/k8s/amour/onepassword_operator/cluster_role_list.cue deleted file mode 100644 index 14d79db54..000000000 --- a/k8s/amour/onepassword_operator/cluster_role_list.cue +++ /dev/null @@ -1,48 +0,0 @@ -package onepassword_operator - -import ( - rbacv1 "k8s.io/api/rbac/v1" - "k8s.io/api/core/v1" -) - -#ClusterRoleList: rbacv1.#ClusterRoleList & { - apiVersion: "rbac.authorization.k8s.io/v1" - kind: "ClusterRoleList" - items: [...{ - apiVersion: "rbac.authorization.k8s.io/v1" - kind: "ClusterRole" - }] -} - -#ClusterRoleList: items: [{ - rules: [{ - apiGroups: [v1.#GroupName] - resources: ["pods", "services", "services/finalizers", "endpoints", "persistentvolumeclaims", "events", "configmaps", "secrets", "namespaces"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - }, { - apiGroups: ["apps"] - resources: ["deployments", "daemonsets", "replicasets", "statefulsets"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - }, { - apiGroups: ["monitoring.coreos.com"] - resources: ["servicemonitors"] - verbs: ["get", "create"] - }, { - apiGroups: ["apps"] - resourceNames: ["onepassword-operator"] - resources: ["deployments/finalizers"] - verbs: ["update"] - }, { - apiGroups: [""] - resources: ["pods"] - verbs: ["get"] - }, { - apiGroups: ["apps"] - resources: ["replicasets", "deployments"] - verbs: ["get"] - }, { - apiGroups: ["onepassword.com"] - resources: ["*"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - }] -}] diff --git a/k8s/amour/onepassword_operator/custom_resource_definition_list.cue b/k8s/amour/onepassword_operator/custom_resource_definition_list.cue deleted file mode 100644 index 914e596f9..000000000 --- a/k8s/amour/onepassword_operator/custom_resource_definition_list.cue +++ /dev/null @@ -1,87 +0,0 @@ -package onepassword_operator - -import apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - -#CustomResourceDefinitionList: apiextensionsv1.#CustomResourceDefinitionList & { - apiVersion: "apiextensions.k8s.io/v1" - kind: "CustomResourceDefinitionList" - items: [...{ - apiVersion: "apiextensions.k8s.io/v1" - kind: "CustomResourceDefinition" - }] -} - -#CustomResourceDefinitionList: items: [{ - metadata: name: "onepassworditems.onepassword.com" - spec: { - group: "onepassword.com" - names: { - kind: "OnePasswordItem" - listKind: "OnePasswordItemList" - plural: "onepassworditems" - singular: "onepassworditem" - } - scope: "Namespaced" - versions: [{ - name: "v1" - schema: openAPIV3Schema: { - description: "OnePasswordItem is the Schema for the onepassworditems API" - properties: { - apiVersion: { - description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: "string" - } - kind: { - description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: "string" - } - metadata: type: "object" - spec: { - description: "OnePasswordItemSpec defines the desired state of OnePasswordItem" - properties: itemPath: type: "string" - type: "object" - } - status: { - description: "OnePasswordItemStatus defines the observed state of OnePasswordItem" - properties: conditions: { - items: { - properties: { - lastTransitionTime: { - description: "Last time the condition transit from one status to another." - format: "date-time" - type: "string" - } - message: { - description: "Human-readable message indicating details about last transition." - type: "string" - } - status: { - description: "Status of the condition, one of True, False, Unknown." - type: "string" - } - type: { - description: "Type of job condition, Completed." - type: "string" - } - } - required: ["status", "type"] - type: "object" - } - type: "array" - } - required: ["conditions"] - type: "object" - } - type: { - description: "Kubernetes secret type. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types" - type: "string" - } - } - type: "object" - } - served: true - storage: true - subresources: status: {} - }] - } -}] diff --git a/k8s/amour/onepassword_operator/secret_list.cue b/k8s/amour/onepassword_operator/secret_list.cue deleted file mode 100644 index 6392a3be2..000000000 --- a/k8s/amour/onepassword_operator/secret_list.cue +++ /dev/null @@ -1,14 +0,0 @@ -package onepassword_operator - -import "k8s.io/api/core/v1" - -#SecretList: v1.#SecretList & { - apiVersion: "v1" - kind: "SecretList" - items: [...{ - apiVersion: "v1" - kind: "Secret" - }] -} - -#SecretList: items: [{metadata: name: "onepassword-connect-token"}] diff --git a/k8s/amour/onepassword_secrets_injector/README.md b/k8s/amour/onepassword_secrets_injector/README.md deleted file mode 100644 index 5f259e757..000000000 --- a/k8s/amour/onepassword_secrets_injector/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# 1Password Kubernetes Secrets Injector - -[https://github.com/1Password/kubernetes-secrets-injector](https://github.com/1Password/kubernetes-secrets-injector) diff --git a/k8s/amour/onepassword_secrets_injector/cilium_network_policy_list.cue b/k8s/amour/onepassword_secrets_injector/cilium_network_policy_list.cue deleted file mode 100644 index 8753126d2..000000000 --- a/k8s/amour/onepassword_secrets_injector/cilium_network_policy_list.cue +++ /dev/null @@ -1,20 +0,0 @@ -package onepassword_secrets_injector - -import ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" - -#CiliumNetworkPolicyList: ciliumv2.#CiliumNetworkPolicyList & { - apiVersion: "cilium.io/v2" - kind: "CiliumNetworkPolicyList" - items: [...{ - apiVersion: "cilium.io/v2" - kind: "CiliumNetworkPolicy" - }] -} - -#CiliumNetworkPolicyList: items: [{ - spec: { - endpointSelector: {} - // ingress: [{}] - // egress: [{toFQDNs: [{matchName: "1password.com"}]}] - } -}] diff --git a/k8s/amour/onepassword_secrets_injector/cluster_role_list.cue b/k8s/amour/onepassword_secrets_injector/cluster_role_list.cue deleted file mode 100644 index ee7a57c6a..000000000 --- a/k8s/amour/onepassword_secrets_injector/cluster_role_list.cue +++ /dev/null @@ -1,20 +0,0 @@ -package onepassword_secrets_injector - -import rbacv1 "k8s.io/api/rbac/v1" - -#ClusterRoleList: rbacv1.#ClusterRoleList & { - apiVersion: "rbac.authorization.k8s.io/v1" - kind: "ClusterRoleList" - items: [...{ - apiVersion: "rbac.authorization.k8s.io/v1" - kind: "ClusterRole" - }] -} - -#ClusterRoleList: items: [{ - rules: [{ - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["create", "get", "delete", "list", "patch", "update", "watch"] - }] -}] diff --git a/k8s/amour/rook_ceph/ceph_block_pool_list.cue b/k8s/amour/rook_ceph/ceph_block_pool_list.cue index 2f43d4f59..fbed75716 100644 --- a/k8s/amour/rook_ceph/ceph_block_pool_list.cue +++ b/k8s/amour/rook_ceph/ceph_block_pool_list.cue @@ -15,9 +15,10 @@ import cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1" metadata: name: "builtin-mgr" spec: { name: ".mgr" - failureDomain: "host" + failureDomain: "osd" replicated: { - size: 3 + // TODO: size: 3 + size: 2 requireSafeReplicaSize: true } deviceClass: "nvme" @@ -27,6 +28,7 @@ import cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1" }, { metadata: name: "ecpool-nvme" spec: { + failureDomain: "osd" erasureCoded: { dataChunks: 4 codingChunks: 6 @@ -40,8 +42,9 @@ import cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1" }, { metadata: name: "replicapool-nvme" spec: { - failureDomain: "host" - replicated: size: 3 + failureDomain: "osd" + // TODO: size: 3 + replicated: size: 2 deviceClass: "nvme" parameters: { compression_algorithm: "zstd" @@ -51,6 +54,7 @@ import cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1" }, { metadata: name: "ecpool-hdd" spec: { + failureDomain: "osd" erasureCoded: { dataChunks: 4 codingChunks: 6 @@ -64,7 +68,7 @@ import cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1" }, { metadata: name: "replicapool-hdd" spec: { - failureDomain: "host" + failureDomain: "osd" replicated: size: 3 deviceClass: "hdd" parameters: { diff --git a/k8s/amour/rook_ceph/ceph_cluster_list.cue b/k8s/amour/rook_ceph/ceph_cluster_list.cue index 8c6ddbf22..6b94e1fe6 100644 --- a/k8s/amour/rook_ceph/ceph_cluster_list.cue +++ b/k8s/amour/rook_ceph/ceph_cluster_list.cue @@ -53,7 +53,7 @@ import ( // rather than with service monitors. // // See: https://github.com/rook/rook/issues/12422 - // monitoring: enabled: true + monitoring: enabled: true network: connections: { encryption: enabled: true compression: enabled: true diff --git a/k8s/amour/rook_ceph/storage_class_list.cue b/k8s/amour/rook_ceph/storage_class_list.cue index a16b8315f..39d5cdd65 100644 --- a/k8s/amour/rook_ceph/storage_class_list.cue +++ b/k8s/amour/rook_ceph/storage_class_list.cue @@ -18,11 +18,11 @@ import ( metadata: name: "rook-ceph-nvme" provisioner: "\(#Namespace).rbd.csi.ceph.com" parameters: { - clusterID: #Namespace - dataPool: "ecpool-nvme" + clusterID: #Namespace + // dataPool: "ecpool-nvme" pool: "replicapool-nvme" imageFormat: "2" - imageFeatures: "layering" + imageFeatures: "layering,fast-diff,object-map,deep-flatten,exclusive-lock" "csi.storage.k8s.io/provisioner-secret-name": "rook-csi-rbd-provisioner" "csi.storage.k8s.io/provisioner-secret-namespace": #Namespace @@ -31,6 +31,8 @@ import ( "csi.storage.k8s.io/node-stage-secret-name": "rook-csi-rbd-node" "csi.storage.k8s.io/node-stage-secret-namespace": #Namespace "csi.storage.k8s.io/fstype": "ext4" + + mounter: "rbd-nbd" } allowVolumeExpansion: true reclaimPolicy: v1.#PersistentVolumeReclaimDelete @@ -39,10 +41,10 @@ import ( provisioner: "\(#Namespace).rbd.csi.ceph.com" parameters: { clusterID: #Namespace - dataPool: "ecpool" - pool: "replicapool-hdd" + dataPool: "ecpool-hdd" + pool: "replicapool-nvme" imageFormat: "2" - imageFeatures: "layering" + imageFeatures: "layering,fast-diff,object-map,deep-flatten,exclusive-lock" "csi.storage.k8s.io/provisioner-secret-name": "rook-csi-rbd-provisioner" "csi.storage.k8s.io/provisioner-secret-namespace": #Namespace @@ -51,6 +53,8 @@ import ( "csi.storage.k8s.io/node-stage-secret-name": "rook-csi-rbd-node" "csi.storage.k8s.io/node-stage-secret-namespace": #Namespace "csi.storage.k8s.io/fstype": "ext4" + + mounter: "rbd-nbd" } allowVolumeExpansion: true reclaimPolicy: v1.#PersistentVolumeReclaimDelete diff --git a/k8s/amour/onepassword_secrets_injector/BUILD.bazel b/k8s/amour/snapshot_controller/BUILD.bazel similarity index 61% rename from k8s/amour/onepassword_secrets_injector/BUILD.bazel rename to k8s/amour/snapshot_controller/BUILD.bazel index e5941f6ac..646f81498 100644 --- a/k8s/amour/onepassword_secrets_injector/BUILD.bazel +++ b/k8s/amour/snapshot_controller/BUILD.bazel @@ -1,23 +1,24 @@ load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library") cue_library( - name = "cue_onepassword_secrets_injector_library", + name = "cue_snapshot_controller_library", srcs = [ - "cilium_network_policy_list.cue", "cluster_role_binding_list.cue", "cluster_role_list.cue", + "custom_resource_definition_list.cue", "deployment_list.cue", "list.cue", "namespace_list.cue", + "role_binding_list.cue", + "role_list.cue", "service_account_list.cue", - "service_list.cue", ], - importpath = "github.com/uhthomas/automata/k8s/amour/onepassword_secrets_injector", + importpath = "github.com/uhthomas/automata/k8s/amour/snapshot_controller", visibility = ["//visibility:public"], deps = [ - "//cue.mod/gen/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2:cue_v2_library", "//cue.mod/gen/k8s.io/api/apps/v1:cue_v1_library", "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library", "//cue.mod/gen/k8s.io/api/rbac/v1:cue_v1_library", + "//cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1:cue_v1_library", ], ) diff --git a/k8s/amour/snapshot_controller/README.md b/k8s/amour/snapshot_controller/README.md new file mode 100644 index 000000000..589ee202b --- /dev/null +++ b/k8s/amour/snapshot_controller/README.md @@ -0,0 +1,11 @@ +# Snapshot Controller + +https://github.com/kubernetes-csi/external-snapshotter/tree/master + +Imported with: + +```sh +❯ k kustomize "https://github.com/kubernetes-csi/external-snapshotter/client/config/crd?ref=v6.2.1" > crd.yaml +❯ k kustomize "https://github.com/kubernetes-csi/external-snapshotter/deploy/kubernetes/snapshot-controller?ref=v6.2.1" > sc.yaml +❯ cue import -R -l "strings.ToLower(kind)" --list crd.yaml sc.yaml +``` diff --git a/k8s/amour/onepassword_operator/cluster_role_binding_list.cue b/k8s/amour/snapshot_controller/cluster_role_binding_list.cue similarity index 76% rename from k8s/amour/onepassword_operator/cluster_role_binding_list.cue rename to k8s/amour/snapshot_controller/cluster_role_binding_list.cue index c2033a08d..245562612 100644 --- a/k8s/amour/onepassword_operator/cluster_role_binding_list.cue +++ b/k8s/amour/snapshot_controller/cluster_role_binding_list.cue @@ -1,4 +1,4 @@ -package onepassword_operator +package snapshot_controller import rbacv1 "k8s.io/api/rbac/v1" @@ -12,14 +12,15 @@ import rbacv1 "k8s.io/api/rbac/v1" } #ClusterRoleBindingList: items: [{ - subjects: [{ - kind: rbacv1.#ServiceAccountKind - name: #Name - namespace: #Namespace - }] + metadata: name: "snapshot-controller-role" roleRef: { apiGroup: rbacv1.#GroupName kind: "ClusterRole" - name: #Name + name: "snapshot-controller-runner" } + subjects: [{ + kind: rbacv1.#ServiceAccountKind + name: "snapshot-controller" + namespace: #Namespace + }] }] diff --git a/k8s/amour/snapshot_controller/cluster_role_list.cue b/k8s/amour/snapshot_controller/cluster_role_list.cue new file mode 100644 index 000000000..828a134dc --- /dev/null +++ b/k8s/amour/snapshot_controller/cluster_role_list.cue @@ -0,0 +1,49 @@ +package snapshot_controller + +import rbacv1 "k8s.io/api/rbac/v1" + +#ClusterRoleList: rbacv1.#ClusterRoleList & { + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "ClusterRoleList" + items: [...{ + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "ClusterRole" + }] +} + +#ClusterRoleList: items: [{ + metadata: name: "snapshot-controller-runner" + rules: [{ + apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + }, { + apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + }, { + apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + }, { + apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + }, { + apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + }, { + apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch"] + }, { + apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + }] +}] diff --git a/k8s/amour/snapshot_controller/custom_resource_definition_list.cue b/k8s/amour/snapshot_controller/custom_resource_definition_list.cue new file mode 100644 index 000000000..46e17ecb9 --- /dev/null +++ b/k8s/amour/snapshot_controller/custom_resource_definition_list.cue @@ -0,0 +1,864 @@ +package snapshot_controller + +import apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + +#CustomResourceDefinitionList: apiextensionsv1.#CustomResourceDefinitionList & { + apiVersion: "apiextensions.k8s.io/v1" + kind: "CustomResourceDefinitionList" + items: [...{ + apiVersion: "apiextensions.k8s.io/v1" + kind: "CustomResourceDefinition" + }] +} + +#CustomResourceDefinitionList: items: [{ + metadata: { + name: "volumesnapshotclasses.snapshot.storage.k8s.io" + annotations: { + "api-approved.kubernetes.io": "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + "controller-gen.kubebuilder.io/version": "v0.11.3" + } + } + spec: { + group: "snapshot.storage.k8s.io" + names: { + kind: "VolumeSnapshotClass" + listKind: "VolumeSnapshotClassList" + plural: "volumesnapshotclasses" + shortNames: [ + "vsclass", + "vsclasses", + ] + singular: "volumesnapshotclass" + } + scope: apiextensionsv1.#ClusterScoped + versions: [{ + additionalPrinterColumns: [{ + jsonPath: ".driver" + name: "Driver" + type: "string" + }, { + description: "Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted." + + jsonPath: ".deletionPolicy" + name: "DeletionPolicy" + type: "string" + }, { + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }] + name: "v1" + schema: openAPIV3Schema: { + description: "VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced" + + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + deletionPolicy: { + description: "deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are \"Retain\" and \"Delete\". \"Retain\" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. \"Delete\" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required." + enum: [ + "Delete", + "Retain", + ] + type: "string" + } + driver: { + description: "driver is the name of the storage driver that handles this VolumeSnapshotClass. Required." + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + parameters: { + additionalProperties: type: "string" + description: "parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes." + + type: "object" + } + } + required: [ + "deletionPolicy", + "driver", + ] + type: "object" + } + served: true + storage: true + subresources: {} + }, { + additionalPrinterColumns: [{ + jsonPath: ".driver" + name: "Driver" + type: "string" + }, { + description: "Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted." + + jsonPath: ".deletionPolicy" + name: "DeletionPolicy" + type: "string" + }, { + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }] + deprecated: true + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + name: "v1beta1" + schema: openAPIV3Schema: { + description: "VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced" + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + deletionPolicy: { + description: "deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are \"Retain\" and \"Delete\". \"Retain\" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. \"Delete\" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required." + enum: [ + "Delete", + "Retain", + ] + type: "string" + } + driver: { + description: "driver is the name of the storage driver that handles this VolumeSnapshotClass. Required." + + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + parameters: { + additionalProperties: type: "string" + description: "parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes." + + type: "object" + } + } + required: [ + "deletionPolicy", + "driver", + ] + type: "object" + } + served: false + storage: false + subresources: {} + }] + } + status: { + acceptedNames: { + kind: "" + plural: "" + } + conditions: [] + storedVersions: [] + } +}, { + metadata: { + name: "volumesnapshotcontents.snapshot.storage.k8s.io" + annotations: { + "api-approved.kubernetes.io": "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + "controller-gen.kubebuilder.io/version": "v0.11.3" + } + } + spec: { + group: "snapshot.storage.k8s.io" + names: { + kind: "VolumeSnapshotContent" + listKind: "VolumeSnapshotContentList" + plural: "volumesnapshotcontents" + shortNames: [ + "vsc", + "vscs", + ] + singular: "volumesnapshotcontent" + } + scope: apiextensionsv1.#ClusterScoped + versions: [{ + additionalPrinterColumns: [{ + description: "Indicates if the snapshot is ready to be used to restore a volume." + jsonPath: ".status.readyToUse" + name: "ReadyToUse" + type: "boolean" + }, { + description: "Represents the complete size of the snapshot in bytes" + jsonPath: ".status.restoreSize" + name: "RestoreSize" + type: "integer" + }, { + description: "Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted." + + jsonPath: ".spec.deletionPolicy" + name: "DeletionPolicy" + type: "string" + }, { + description: "Name of the CSI driver used to create the physical snapshot on the underlying storage system." + + jsonPath: ".spec.driver" + name: "Driver" + type: "string" + }, { + description: "Name of the VolumeSnapshotClass to which this snapshot belongs." + jsonPath: ".spec.volumeSnapshotClassName" + name: "VolumeSnapshotClass" + type: "string" + }, { + description: "Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound." + + jsonPath: ".spec.volumeSnapshotRef.name" + name: "VolumeSnapshot" + type: "string" + }, { + description: "Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound." + + jsonPath: ".spec.volumeSnapshotRef.namespace" + name: "VolumeSnapshotNamespace" + type: "string" + }, { + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }] + name: "v1" + schema: openAPIV3Schema: { + description: "VolumeSnapshotContent represents the actual \"on-disk\" snapshot object in the underlying storage system" + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + spec: { + description: "spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required." + + properties: { + deletionPolicy: { + description: "deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are \"Retain\" and \"Delete\". \"Retain\" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. \"Delete\" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the \"DeletionPolicy\" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required." + enum: [ + "Delete", + "Retain", + ] + type: "string" + } + driver: { + description: "driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required." + type: "string" + } + source: { + description: "source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required." + oneOf: [{ + required: [ + "snapshotHandle", + ] + }, { + required: [ + "volumeHandle", + ] + }] + properties: { + snapshotHandle: { + description: "snapshotHandle specifies the CSI \"snapshot_id\" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable." + type: "string" + } + volumeHandle: { + description: "volumeHandle specifies the CSI \"volume_id\" of the volume from which a snapshot should be dynamically taken from. This field is immutable." + type: "string" + } + } + type: "object" + } + sourceVolumeMode: { + description: "SourceVolumeMode is the mode of the volume whose snapshot is taken. Can be either “Filesystem” or “Block”. If not specified, it indicates the source volume's mode is unknown. This field is immutable. This field is an alpha field." + type: "string" + } + volumeSnapshotClassName: { + description: "name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation." + type: "string" + } + volumeSnapshotRef: { + description: "volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required." + properties: { + apiVersion: { + description: "API version of the referent." + type: "string" + } + fieldPath: { + description: "If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: \"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered the event) or if no container name is specified \"spec.containers[2]\" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future." + type: "string" + } + kind: { + description: "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + name: { + description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + type: "string" + } + namespace: { + description: "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + type: "string" + } + resourceVersion: { + description: "Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency" + type: "string" + } + uid: { + description: "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids" + type: "string" + } + } + type: "object" + "x-kubernetes-map-type": "atomic" + } + } + required: [ + "deletionPolicy", + "driver", + "source", + "volumeSnapshotRef", + ] + type: "object" + } + status: { + description: "status represents the current information of a snapshot." + properties: { + creationTime: { + description: "creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the \"creation_time\" value returned from CSI \"CreateSnapshot\" gRPC call. For a pre-existing snapshot, this field will be filled with the \"creation_time\" value returned from the CSI \"ListSnapshots\" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC." + format: "int64" + type: "integer" + } + error: { + description: "error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared." + properties: { + message: { + description: "message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information." + type: "string" + } + time: { + description: "time is the timestamp when the error was encountered." + format: "date-time" + type: "string" + } + } + type: "object" + } + readyToUse: { + description: "readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the \"ready_to_use\" value returned from CSI \"CreateSnapshot\" gRPC call. For a pre-existing snapshot, this field will be filled with the \"ready_to_use\" value returned from the CSI \"ListSnapshots\" gRPC call if the driver supports it, otherwise, this field will be set to \"True\". If not specified, it means the readiness of a snapshot is unknown." + type: "boolean" + } + restoreSize: { + description: "restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the \"size_bytes\" value returned from CSI \"CreateSnapshot\" gRPC call. For a pre-existing snapshot, this field will be filled with the \"size_bytes\" value returned from the CSI \"ListSnapshots\" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown." + format: "int64" + minimum: 0 + type: "integer" + } + snapshotHandle: { + description: "snapshotHandle is the CSI \"snapshot_id\" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress." + type: "string" + } + volumeGroupSnapshotContentName: { + description: "VolumeGroupSnapshotContentName is the name of the VolumeGroupSnapshotContent of which this VolumeSnapshotContent is a part of." + type: "string" + } + } + type: "object" + } + } + required: ["spec"] + type: "object" + } + served: true + storage: true + subresources: status: {} + }, { + additionalPrinterColumns: [{ + description: "Indicates if the snapshot is ready to be used to restore a volume." + jsonPath: ".status.readyToUse" + name: "ReadyToUse" + type: "boolean" + }, { + description: "Represents the complete size of the snapshot in bytes" + jsonPath: ".status.restoreSize" + name: "RestoreSize" + type: "integer" + }, { + description: "Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted." + + jsonPath: ".spec.deletionPolicy" + name: "DeletionPolicy" + type: "string" + }, { + description: "Name of the CSI driver used to create the physical snapshot on the underlying storage system." + jsonPath: ".spec.driver" + name: "Driver" + type: "string" + }, { + description: "Name of the VolumeSnapshotClass to which this snapshot belongs." + jsonPath: ".spec.volumeSnapshotClassName" + name: "VolumeSnapshotClass" + type: "string" + }, { + description: "Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound." + jsonPath: ".spec.volumeSnapshotRef.name" + name: "VolumeSnapshot" + type: "string" + }, { + description: "Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound." + jsonPath: ".spec.volumeSnapshotRef.namespace" + name: "VolumeSnapshotNamespace" + type: "string" + }, { + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }] + deprecated: true + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + name: "v1beta1" + schema: openAPIV3Schema: { + description: "VolumeSnapshotContent represents the actual \"on-disk\" snapshot object in the underlying storage system" + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + spec: { + description: "spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required." + properties: { + deletionPolicy: { + description: "deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are \"Retain\" and \"Delete\". \"Retain\" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. \"Delete\" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the \"DeletionPolicy\" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required." + enum: [ + "Delete", + "Retain", + ] + type: "string" + } + driver: { + description: "driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required." + type: "string" + } + source: { + description: "source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required." + properties: { + snapshotHandle: { + description: "snapshotHandle specifies the CSI \"snapshot_id\" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable." + type: "string" + } + volumeHandle: { + description: "volumeHandle specifies the CSI \"volume_id\" of the volume from which a snapshot should be dynamically taken from. This field is immutable." + type: "string" + } + } + type: "object" + } + volumeSnapshotClassName: { + description: "name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation." + type: "string" + } + volumeSnapshotRef: { + description: "volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required." + properties: { + apiVersion: { + description: "API version of the referent." + type: "string" + } + fieldPath: { + description: "If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: \"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered the event) or if no container name is specified \"spec.containers[2]\" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future." + type: "string" + } + kind: { + description: "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + name: { + description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + type: "string" + } + namespace: { + description: "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + type: "string" + } + resourceVersion: { + description: "Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency" + type: "string" + } + uid: { + description: "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids" + type: "string" + } + } + type: "object" + } + } + required: [ + "deletionPolicy", + "driver", + "source", + "volumeSnapshotRef", + ] + type: "object" + } + status: { + description: "status represents the current information of a snapshot." + properties: { + creationTime: { + description: "creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the \"creation_time\" value returned from CSI \"CreateSnapshot\" gRPC call. For a pre-existing snapshot, this field will be filled with the \"creation_time\" value returned from the CSI \"ListSnapshots\" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC." + format: "int64" + type: "integer" + } + error: { + description: "error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared." + properties: { + message: { + description: "message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information." + type: "string" + } + time: { + description: "time is the timestamp when the error was encountered." + format: "date-time" + type: "string" + } + } + type: "object" + } + readyToUse: { + description: "readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the \"ready_to_use\" value returned from CSI \"CreateSnapshot\" gRPC call. For a pre-existing snapshot, this field will be filled with the \"ready_to_use\" value returned from the CSI \"ListSnapshots\" gRPC call if the driver supports it, otherwise, this field will be set to \"True\". If not specified, it means the readiness of a snapshot is unknown." + type: "boolean" + } + restoreSize: { + description: "restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the \"size_bytes\" value returned from CSI \"CreateSnapshot\" gRPC call. For a pre-existing snapshot, this field will be filled with the \"size_bytes\" value returned from the CSI \"ListSnapshots\" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown." + format: "int64" + minimum: 0 + type: "integer" + } + snapshotHandle: { + description: "snapshotHandle is the CSI \"snapshot_id\" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress." + type: "string" + } + } + type: "object" + } + } + required: ["spec"] + type: "object" + } + served: false + storage: false + subresources: status: {} + }] + } + status: { + acceptedNames: { + kind: "" + plural: "" + } + conditions: [] + storedVersions: [] + } +}, { + metadata: { + name: "volumesnapshots.snapshot.storage.k8s.io" + annotations: { + "api-approved.kubernetes.io": "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + "controller-gen.kubebuilder.io/version": "v0.11.3" + } + }, spec: { + group: "snapshot.storage.k8s.io" + names: { + kind: "VolumeSnapshot" + listKind: "VolumeSnapshotList" + plural: "volumesnapshots" + shortNames: [ + "vs", + ] + singular: "volumesnapshot" + } + scope: apiextensionsv1.#NamespaceScoped + versions: [{ + additionalPrinterColumns: [{ + description: "Indicates if the snapshot is ready to be used to restore a volume." + jsonPath: ".status.readyToUse" + name: "ReadyToUse" + type: "boolean" + }, { + description: "If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created." + jsonPath: ".spec.source.persistentVolumeClaimName" + name: "SourcePVC" + type: "string" + }, { + description: "If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot." + jsonPath: ".spec.source.volumeSnapshotContentName" + name: "SourceSnapshotContent" + type: "string" + }, { + description: "Represents the minimum size of volume required to rehydrate from this snapshot." + jsonPath: ".status.restoreSize" + name: "RestoreSize" + type: "string" + }, { + description: "The name of the VolumeSnapshotClass requested by the VolumeSnapshot." + jsonPath: ".spec.volumeSnapshotClassName" + name: "SnapshotClass" + type: "string" + }, { + description: "Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object." + + jsonPath: ".status.boundVolumeSnapshotContentName" + name: "SnapshotContent" + type: "string" + }, { + description: "Timestamp when the point-in-time snapshot was taken by the underlying storage system." + jsonPath: ".status.creationTime" + name: "CreationTime" + type: "date" + }, { + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }] + name: "v1" + schema: openAPIV3Schema: { + description: "VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + spec: { + description: "spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required." + properties: { + source: { + description: "source specifies where a snapshot will be created from. This field is immutable after creation. Required." + oneOf: [{ + required: ["persistentVolumeClaimName"] + }, { + required: ["volumeSnapshotContentName"] + }] + properties: { + persistentVolumeClaimName: { + description: "persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable." + type: "string" + } + volumeSnapshotContentName: { + description: "volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable." + type: "string" + } + } + type: "object" + } + volumeSnapshotClassName: { + description: "VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field." + type: "string" + } + } + required: ["source"] + type: "object" + } + status: { + description: "status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object." + + properties: { + boundVolumeSnapshotContentName: { + description: "boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object." + type: "string" + } + creationTime: { + description: "creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the \"creation_time\" value returned from CSI \"CreateSnapshot\" gRPC call. For a pre-existing snapshot, this field will be filled with the \"creation_time\" value returned from the CSI \"ListSnapshots\" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown." + format: "date-time" + type: "string" + } + error: { + description: "error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared." + properties: { + message: { + description: "message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information." + type: "string" + } + time: { + description: "time is the timestamp when the error was encountered." + format: "date-time" + type: "string" + } + } + type: "object" + } + readyToUse: { + description: "readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the \"ready_to_use\" value returned from CSI \"CreateSnapshot\" gRPC call. For a pre-existing snapshot, this field will be filled with the \"ready_to_use\" value returned from the CSI \"ListSnapshots\" gRPC call if the driver supports it, otherwise, this field will be set to \"True\". If not specified, it means the readiness of a snapshot is unknown." + type: "boolean" + } + restoreSize: { + description: "restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the \"size_bytes\" value returned from CSI \"CreateSnapshot\" gRPC call. For a pre-existing snapshot, this field will be filled with the \"size_bytes\" value returned from the CSI \"ListSnapshots\" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown." + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + type: "string" + "x-kubernetes-int-or-string": true + } + volumeGroupSnapshotName: { + description: "VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this VolumeSnapshot is a part of." + type: "string" + } + } + type: "object" + } + } + required: ["spec"] + type: "object" + } + served: true + storage: true + subresources: status: {} + }, { + additionalPrinterColumns: [{ + description: "Indicates if the snapshot is ready to be used to restore a volume." + jsonPath: ".status.readyToUse" + name: "ReadyToUse" + type: "boolean" + }, { + description: "If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created." + jsonPath: ".spec.source.persistentVolumeClaimName" + name: "SourcePVC" + type: "string" + }, { + description: "If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot." + jsonPath: ".spec.source.volumeSnapshotContentName" + name: "SourceSnapshotContent" + type: "string" + }, { + description: "Represents the minimum size of volume required to rehydrate from this snapshot." + jsonPath: ".status.restoreSize" + name: "RestoreSize" + type: "string" + }, { + description: "The name of the VolumeSnapshotClass requested by the VolumeSnapshot." + jsonPath: ".spec.volumeSnapshotClassName" + name: "SnapshotClass" + type: "string" + }, { + description: "Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object." + jsonPath: ".status.boundVolumeSnapshotContentName" + name: "SnapshotContent" + type: "string" + }, { + description: "Timestamp when the point-in-time snapshot was taken by the underlying storage system." + jsonPath: ".status.creationTime" + name: "CreationTime" + type: "date" + }, { + jsonPath: ".metadata.creationTimestamp" + name: "Age" + type: "date" + }] + deprecated: true + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + name: "v1beta1" + schema: openAPIV3Schema: { + description: "VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot." + properties: { + apiVersion: { + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: "string" + } + kind: { + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: "string" + } + spec: { + description: "spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required." + properties: { + source: { + description: "source specifies where a snapshot will be created from. This field is immutable after creation. Required." + properties: { + persistentVolumeClaimName: { + description: "persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable." + type: "string" + } + volumeSnapshotContentName: { + description: "volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable." + type: "string" + } + } + type: "object" + } + volumeSnapshotClassName: { + description: "VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field." + type: "string" + } + } + required: ["source"] + type: "object" + } + status: { + description: "status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object." + + properties: { + boundVolumeSnapshotContentName: { + description: "boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object." + type: "string" + } + creationTime: { + description: "creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the \"creation_time\" value returned from CSI \"CreateSnapshot\" gRPC call. For a pre-existing snapshot, this field will be filled with the \"creation_time\" value returned from the CSI \"ListSnapshots\" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown." + format: "date-time" + type: "string" + } + error: { + description: "error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared." + properties: { + message: { + description: "message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information." + type: "string" + } + time: { + description: "time is the timestamp when the error was encountered." + format: "date-time" + type: "string" + } + } + type: "object" + } + readyToUse: { + description: "readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the \"ready_to_use\" value returned from CSI \"CreateSnapshot\" gRPC call. For a pre-existing snapshot, this field will be filled with the \"ready_to_use\" value returned from the CSI \"ListSnapshots\" gRPC call if the driver supports it, otherwise, this field will be set to \"True\". If not specified, it means the readiness of a snapshot is unknown." + type: "boolean" + } + restoreSize: { + description: "restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the \"size_bytes\" value returned from CSI \"CreateSnapshot\" gRPC call. For a pre-existing snapshot, this field will be filled with the \"size_bytes\" value returned from the CSI \"ListSnapshots\" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown." + pattern: "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" + type: "string" + "x-kubernetes-int-or-string": true + } + } + type: "object" + } + } + required: ["spec"] + type: "object" + } + served: false + storage: false + subresources: status: {} + }] + } + status: { + acceptedNames: { + kind: "" + plural: "" + } + conditions: [] + storedVersions: [] + } +}] diff --git a/k8s/amour/snapshot_controller/deployment_list.cue b/k8s/amour/snapshot_controller/deployment_list.cue new file mode 100644 index 000000000..edc99618d --- /dev/null +++ b/k8s/amour/snapshot_controller/deployment_list.cue @@ -0,0 +1,42 @@ +package snapshot_controller + +import ( + appsv1 "k8s.io/api/apps/v1" + "k8s.io/api/core/v1" +) + +#DeploymentList: appsv1.#DeploymentList & { + apiVersion: "apps/v1" + kind: "DeploymentList" + items: [...{ + apiVersion: "apps/v1" + kind: "Deployment" + }] +} + +#DeploymentList: items: [{ + spec: { + minReadySeconds: 15 + replicas: 2 + selector: matchLabels: "app.kubernetes.io/name": #Name + strategy: rollingUpdate: { + maxSurge: 0 + maxUnavailable: 1 + } + template: { + metadata: labels: "app.kubernetes.io/name": #Name + spec: { + containers: [{ + name: "snapshot-controller" + image: "registry.k8s.io/sig-storage/snapshot-controller:v6.2.1" + args: [ + "--v=5", + "--leader-election=true", + ] + imagePullPolicy: v1.#PullIfNotPresent + }] + serviceAccountName: #Name + } + } + } +}] diff --git a/k8s/amour/onepassword_operator/list.cue b/k8s/amour/snapshot_controller/list.cue similarity index 79% rename from k8s/amour/onepassword_operator/list.cue rename to k8s/amour/snapshot_controller/list.cue index bb280db75..1add4b9ca 100644 --- a/k8s/amour/onepassword_operator/list.cue +++ b/k8s/amour/snapshot_controller/list.cue @@ -1,4 +1,4 @@ -package onepassword_operator +package snapshot_controller import ( "list" @@ -6,9 +6,9 @@ import ( "k8s.io/api/core/v1" ) -#Name: "onepassword-operator" +#Name: "snapshot-controller" #Namespace: #Name -#Version: "1.8.0" +#Version: "6.2.1" #List: v1.#List & { apiVersion: "v1" @@ -28,12 +28,12 @@ import ( #List: items: list.Concat(_items) _items: [ - #CiliumNetworkPolicyList.items, #ClusterRoleBindingList.items, #ClusterRoleList.items, #CustomResourceDefinitionList.items, #DeploymentList.items, #NamespaceList.items, - #SecretList.items, + #RoleBindingList.items, + #RoleList.items, #ServiceAccountList.items, ] diff --git a/k8s/amour/snapshot_controller/namespace_list.cue b/k8s/amour/snapshot_controller/namespace_list.cue new file mode 100644 index 000000000..6c307f4b6 --- /dev/null +++ b/k8s/amour/snapshot_controller/namespace_list.cue @@ -0,0 +1,14 @@ +package snapshot_controller + +import "k8s.io/api/core/v1" + +#NamespaceList: v1.#NamespaceList & { + apiVersion: "v1" + kind: "NamespaceList" + items: [...{ + apiVersion: "v1" + kind: "Namespace" + }] +} + +#NamespaceList: items: [{}] diff --git a/k8s/amour/snapshot_controller/role_binding_list.cue b/k8s/amour/snapshot_controller/role_binding_list.cue new file mode 100644 index 000000000..2d1419d8d --- /dev/null +++ b/k8s/amour/snapshot_controller/role_binding_list.cue @@ -0,0 +1,25 @@ +package snapshot_controller + +import rbacv1 "k8s.io/api/rbac/v1" + +#RoleBindingList: rbacv1.#RoleBindingList & { + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "RoleBindingList" + items: [...{ + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "RoleBinding" + }] +} + +#RoleBindingList: items: [{ + metadata: name: "snapshot-controller-leaderelection" + roleRef: { + apiGroup: rbacv1.#GroupName + kind: "Role" + name: "snapshot-controller-leaderelection" + } + subjects: [{ + kind: rbacv1.#ServiceAccountKind + name: "snapshot-controller" + }] +}] diff --git a/k8s/amour/snapshot_controller/role_list.cue b/k8s/amour/snapshot_controller/role_list.cue new file mode 100644 index 000000000..ed06d05a4 --- /dev/null +++ b/k8s/amour/snapshot_controller/role_list.cue @@ -0,0 +1,21 @@ +package snapshot_controller + +import rbacv1 "k8s.io/api/rbac/v1" + +#RoleList: rbacv1.#RoleList & { + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "RoleList" + items: [...{ + apiVersion: "rbac.authorization.k8s.io/v1" + kind: "Role" + }] +} + +#RoleList: items: [{ + metadata: name: "snapshot-controller-leaderelection" + rules: [{ + apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + }] +}] diff --git a/k8s/amour/snapshot_controller/service_account_list.cue b/k8s/amour/snapshot_controller/service_account_list.cue new file mode 100644 index 000000000..dacb24715 --- /dev/null +++ b/k8s/amour/snapshot_controller/service_account_list.cue @@ -0,0 +1,14 @@ +package snapshot_controller + +import "k8s.io/api/core/v1" + +#ServiceAccountList: v1.#ServiceAccountList & { + apiVersion: "v1" + kind: "ServiceAccountList" + items: [...{ + apiVersion: "v1" + kind: "ServiceAccount" + }] +} + +#ServiceAccountList: items: [{}] diff --git a/k8s/amour/vm/vm_agent_list.cue b/k8s/amour/vm/vm_agent_list.cue index 7ab91d6bc..3acfaf4f4 100644 --- a/k8s/amour/vm/vm_agent_list.cue +++ b/k8s/amour/vm/vm_agent_list.cue @@ -54,7 +54,7 @@ import "k8s.io/api/core/v1" } statefulMode: true statefulStorage: volumeClaimTemplate: spec: { - storageClassName: "rook-ceph-nvme-ec-delete-block" + storageClassName: "rook-ceph-nvme" resources: requests: (v1.#ResourceStorage): "4Gi" } } diff --git a/k8s/amour/vm/vm_alertmanager_list.cue b/k8s/amour/vm/vm_alertmanager_list.cue index 64ba2da06..6b18fb7a0 100644 --- a/k8s/amour/vm/vm_alertmanager_list.cue +++ b/k8s/amour/vm/vm_alertmanager_list.cue @@ -18,7 +18,7 @@ import "k8s.io/api/core/v1" spec: { replicaCount: 2 storage: volumeClaimTemplate: spec: { - storageClassName: "rook-ceph-nvme-ec-delete-block" + storageClassName: "rook-ceph-nvme" resources: requests: (v1.#ResourceStorage): "512Mi" } resources: limits: { diff --git a/k8s/amour/vm/vm_cluster_list.cue b/k8s/amour/vm/vm_cluster_list.cue index 986a3b457..232963544 100644 --- a/k8s/amour/vm/vm_cluster_list.cue +++ b/k8s/amour/vm/vm_cluster_list.cue @@ -36,7 +36,7 @@ import "k8s.io/api/core/v1" vmselect: { replicaCount: 2 resources: limits: { - (v1.#ResourceCPU): 1 + (v1.#ResourceCPU): "500m" (v1.#ResourceMemory): "256Mi" } securityContext: defaultPodSecurityContext @@ -83,8 +83,8 @@ import "k8s.io/api/core/v1" vmstorage: { replicaCount: 2 resources: limits: { - (v1.#ResourceCPU): 1 - (v1.#ResourceMemory): "1.5Gi" + (v1.#ResourceCPU): "500m" + (v1.#ResourceMemory): "1Gi" } securityContext: defaultPodSecurityContext containers: [{ diff --git a/tools/tools.go b/tools/tools.go index a29d10b45..6d2155495 100644 --- a/tools/tools.go +++ b/tools/tools.go @@ -5,9 +5,12 @@ package tools import ( _ "cuelang.org/go/cmd/cue" + _ "github.com/1Password/onepassword-operator/api/v1" + _ "github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1" _ "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" _ "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" _ "github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1" + _ "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1" _ "github.com/prometheus/prometheus/model/rulefmt" _ "github.com/rook/rook/pkg/apis/ceph.rook.io/v1" _ "k8s.io/api"