feat(helm): update chart external-secrets ( 0.19.2 → 0.20.4 ) #2979
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Path: --- /tmp/tmp.RAD0uhgZnY 2025-10-14 08:28:05.329805901 +0000
+++ /tmp/tmp.Y7LnygVLwu 2025-10-14 08:28:07.376812231 +0000
@@ -36,7 +36,7 @@
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
+ controller-gen.kubebuilder.io/version: v0.19.0
name: acraccesstokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
@@ -212,6 +212,7 @@
- USGovernmentCloud
- ChinaCloud
- GermanCloud
+ - AzureStackCloud
type: string
registry:
description: |-
@@ -245,12 +246,107 @@
status: {}
---
+# Source: external-secrets/charts/external-secrets/templates/crds/cloudsmithaccesstoken.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.19.0
+ name: cloudsmithaccesstokens.generators.external-secrets.io
+spec:
+ group: generators.external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ - external-secrets-generators
+ kind: CloudsmithAccessToken
+ listKind: CloudsmithAccessTokenList
+ plural: cloudsmithaccesstokens
+ singular: cloudsmithaccesstoken
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: CloudsmithAccessToken generates Cloudsmith access token using OIDC
+ authentication
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ apiUrl:
+ description: APIURL configures the Cloudsmith API URL. Defaults to
+ https://api.cloudsmith.io.
+ type: string
+ orgSlug:
+ description: OrgSlug is the organization slug in Cloudsmith
+ type: string
+ serviceAccountRef:
+ description: Name of the service account you are federating with
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ serviceSlug:
+ description: ServiceSlug is the service slug in Cloudsmith for OIDC
+ authentication
+ type: string
+ required:
+ - orgSlug
+ - serviceAccountRef
+ - serviceSlug
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
# Source: external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
+ controller-gen.kubebuilder.io/version: v0.19.0
name: clusterexternalsecrets.external-secrets.io
spec:
group: external-secrets.io
@@ -404,6 +500,7 @@
enum:
- ACRAccessToken
- ClusterGenerator
+ - CloudsmithAccessToken
- ECRAuthorizationToken
- Fake
- GCRAccessToken
@@ -555,6 +652,9 @@
conflictPolicy:
default: Error
description: Used to define the policy to use in conflict resolution.
+ enum:
+ - Ignore
+ - Error
type: string
into:
default: ""
@@ -567,9 +667,20 @@
items:
type: string
type: array
+ priorityPolicy:
+ default: Strict
+ description: Used to define the policy when a key in the priority list does not
+ exist in the input.
+ enum:
+ - IgnoreNotFound
+ - Strict
+ type: string
strategy:
default: Extract
description: Used to define the strategy to use in the merge operation.
+ enum:
+ - Extract
+ - JSON
type: string
type: object
regexp:
@@ -625,6 +736,7 @@
enum:
- ACRAccessToken
- ClusterGenerator
+ - CloudsmithAccessToken
- ECRAuthorizationToken
- Fake
- GCRAccessToken
@@ -781,6 +893,10 @@
additionalProperties:
type: string
type: object
+ finalizers:
+ items:
+ type: string
+ type: array
labels:
additionalProperties:
type: string
@@ -1793,7 +1909,7 @@
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
+ controller-gen.kubebuilder.io/version: v0.19.0
name: clustergenerators.generators.external-secrets.io
spec:
group: generators.external-secrets.io
@@ -1969,6 +2085,7 @@
- USGovernmentCloud
- ChinaCloud
- GermanCloud
+ - AzureStackCloud
type: string
registry:
description: |-
@@ -1995,6 +2112,52 @@
- auth
- registry
type: object
+ cloudsmithAccessTokenSpec:
+ properties:
+ apiUrl:
+ description: APIURL configures the Cloudsmith API URL. Defaults to
+ https://api.cloudsmith.io.
+ type: string
+ orgSlug:
+ description: OrgSlug is the organization slug in Cloudsmith
+ type: string
+ serviceAccountRef:
+ description: Name of the service account you are federating with
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ serviceSlug:
+ description: ServiceSlug is the service slug in Cloudsmith for OIDC
+ authentication
+ type: string
+ required:
+ - orgSlug
+ - serviceAccountRef
+ - serviceSlug
+ type: object
ecrAuthorizationTokenSpec:
properties:
auth:
@@ -2227,6 +2390,122 @@
- clusterName
- serviceAccountRef
type: object
+ workloadIdentityFederation:
+ description: GCPWorkloadIdentityFederation holds the configurations required for
+ generating federated access tokens.
+ properties:
+ audience:
+ description: |-
+ audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
+ If specified, Audience found in the external account credential config will be overridden with the configured value.
+ audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
+ type: string
+ awsSecurityCredentials:
+ description: |-
+ awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
+ when using the AWS metadata server is not an option.
+ properties:
+ awsCredentialsSecretRef:
+ description: |-
+ awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
+ Secret should be created with below names for keys
+ - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
+ - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
+ - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
+ properties:
+ name:
+ description: name of the secret.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: namespace in which the secret exists. If empty, secret will looked
+ up in local namespace.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ region:
+ description: region is for configuring the AWS region to be used.
+ example: ap-south-1
+ maxLength: 50
+ minLength: 1
+ pattern: ^[a-z0-9-]+$
+ type: string
+ required:
+ - awsCredentialsSecretRef
+ - region
+ type: object
+ credConfig:
+ description: |-
+ credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
+ For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
+ serviceAccountRef must be used by providing operators service account details.
+ properties:
+ key:
+ description: key name holding the external account credential config.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: name of the configmap.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: namespace in which the configmap exists. If empty, configmap will
+ looked up in local namespace.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - key
+ - name
+ type: object
+ externalTokenEndpoint:
+ description: |-
+ externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
+ credential_source.url in the provided credConfig. This field is merely to double-check the external token source
+ URL is having the expected value.
+ type: string
+ serviceAccountRef:
+ description: |-
+ serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
+ when Kubernetes is configured as provider in workload identity pool.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ type: object
type: object
projectID:
description: ProjectID defines which project to use to authenticate with
@@ -2836,6 +3115,12 @@
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
+ path:
+ default: cert
+ description: |-
+ Path where the Certificate authentication backend is mounted
+ in Vault, e.g: "cert"
+ type: string
secretRef:
description: |-
SecretRef to a key in a Secret resource containing client private key to
@@ -3373,6 +3658,18 @@
- name
- type
type: object
+ checkAndSet:
+ description: |-
+ CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
+ Only applies to Vault KV v2 stores. When enabled, write operations must include
+ the current version of the secret to prevent unintentional overwrites.
+ properties:
+ required:
+ description: |-
+ Required when true, all write operations must include a check-and-set parameter.
+ This helps prevent unintentional overwrites of secrets.
+ type: boolean
+ type: object
forwardInconsistent:
description: |-
ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
@@ -3694,6 +3991,7 @@
description: Kind the kind of this generator.
enum:
- ACRAccessToken
+ - CloudsmithAccessToken
- ECRAuthorizationToken
- Fake
- GCRAccessToken
@@ -3723,7 +4021,7 @@
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
+ controller-gen.kubebuilder.io/version: v0.19.0
name: clusterpushsecrets.external-secrets.io
spec:
group: external-secrets.io
@@ -3975,6 +4273,7 @@
enum:
- ACRAccessToken
- ClusterGenerator
+ - CloudsmithAccessToken
- ECRAuthorizationToken
- Fake
- GCRAccessToken
@@ -4087,6 +4386,10 @@
additionalProperties:
type: string
type: object
+ finalizers:
+ items:
+ type: string
+ type: array
labels:
additionalProperties:
type: string
@@ -4255,7 +4558,7 @@
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
+ controller-gen.kubebuilder.io/version: v0.19.0
name: clustersecretstores.external-secrets.io
spec:
group: external-secrets.io
@@ -5030,18 +5333,44 @@
- ManagedIdentity
- WorkloadIdentity
type: string
+ customCloudConfig:
+ description: |-
+ CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.
+ Required when EnvironmentType is AzureStackCloud.
+ IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
+ configuration is not supported with the legacy go-autorest SDK.
+ properties:
+ activeDirectoryEndpoint:
+ description: |-
+ ActiveDirectoryEndpoint is the AAD endpoint for authentication
+ Required when using custom cloud configuration
+ type: string
+ keyVaultDNSSuffix:
+ description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
+ type: string
+ keyVaultEndpoint:
+ description: KeyVaultEndpoint is the Key Vault service endpoint
+ type: string
+ resourceManagerEndpoint:
+ description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
+ type: string
+ required:
+ - activeDirectoryEndpoint
+ type: object
environmentType:
default: PublicCloud
description: |-
EnvironmentType specifies the Azure cloud environment endpoints to use for
connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+ PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
+ Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
enum:
- PublicCloud
- USGovernmentCloud
- ChinaCloud
- GermanCloud
+ - AzureStackCloud
type: string
identityId:
description: If multiple Managed Identity is assigned to the pod, you can select
@@ -5082,6 +5411,12 @@
for ServicePrincipal auth type. Optional for
WorkloadIdentity.
type: string
+ useAzureSDK:
+ default: false
+ description: |-
+ UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
+ This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
+ type: boolean
vaultUrl:
description: Vault Url from which the secrets to be fetched from.
type: string
@@ -5959,6 +6294,8 @@
- value
type: object
type: array
+ validationResult:
+ type: integer
required:
- data
type: object
@@ -6084,6 +6421,122 @@
required:
- serviceAccountRef
type: object
+ workloadIdentityFederation:
+ description: GCPWorkloadIdentityFederation holds the configurations required for
+ generating federated access tokens.
+ properties:
+ audience:
+ description: |-
+ audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
+ If specified, Audience found in the external account credential config will be overridden with the configured value.
+ audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
+ type: string
+ awsSecurityCredentials:
+ description: |-
+ awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
+ when using the AWS metadata server is not an option.
+ properties:
+ awsCredentialsSecretRef:
+ description: |-
+ awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
+ Secret should be created with below names for keys
+ - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
+ - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
+ - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
+ properties:
+ name:
+ description: name of the secret.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: namespace in which the secret exists. If empty, secret will looked
+ up in local namespace.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ region:
+ description: region is for configuring the AWS region to be used.
+ example: ap-south-1
+ maxLength: 50
+ minLength: 1
+ pattern: ^[a-z0-9-]+$
+ type: string
+ required:
+ - awsCredentialsSecretRef
+ - region
+ type: object
+ credConfig:
+ description: |-
+ credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
+ For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
+ serviceAccountRef must be used by providing operators service account details.
+ properties:
+ key:
+ description: key name holding the external account credential config.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: name of the configmap.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: namespace in which the configmap exists. If empty, configmap will
+ looked up in local namespace.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - key
+ - name
+ type: object
+ externalTokenEndpoint:
+ description: |-
+ externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
+ credential_source.url in the provided credConfig. This field is merely to double-check the external token source
+ URL is having the expected value.
+ type: string
+ serviceAccountRef:
+ description: |-
+ serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
+ when Kubernetes is configured as provider in workload identity pool.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ type: object
type: object
location:
description: Location optionally defines a location for a secret
@@ -6091,10 +6544,20 @@
projectID:
description: ProjectID project where secret is located
type: string
+ secretVersionSelectionPolicy:
+ default: LatestOrFail
+ description: |-
+ SecretVersionSelectionPolicy specifies how the provider selects a secret version
+ when "latest" is disabled or destroyed.
+ Possible values are:
+ - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
+ - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
+ type: string
type: object
github:
- description: Github configures this store to push Github Action secrets using
- Github API provider
+ description: |-
+ Github configures this store to push GitHub Action secrets using GitHub API provider.
+ Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
properties:
appID:
description: appID specifies the Github APP that will be used to authenticate
@@ -7336,6 +7799,65 @@
type: string
type: object
type: object
+ ngrok:
+ description: Ngrok configures this store to sync secrets using the ngrok
+ provider.
+ properties:
+ apiUrl:
+ default: https://api.ngrok.com
+ description: APIURL is the URL of the ngrok API.
+ type: string
+ auth:
+ description: Auth configures how the ngrok provider authenticates with the ngrok
+ API.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ apiKey:
+ description: APIKey is the API Key used to authenticate with ngrok. See
+ https://ngrok.com/docs/api/#authentication
+ properties:
+ secretRef:
+ description: SecretRef is a reference to a secret containing the ngrok API key.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ type: object
+ type: object
+ vault:
+ description: Vault configures the ngrok vault to sync secrets with.
+ properties:
+ name:
+ description: Name is the name of the ngrok vault to sync secrets with.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - auth
+ - vault
+ type: object
onboardbase:
description: Onboardbase configures this store to sync secrets using the
Onboardbase provider
@@ -8010,6 +8532,9 @@
SecretServer configures this store to sync secrets using SecretServer provider
https://docs.delinea.com/online-help/secret-server/start.htm
properties:
+ domain:
+ description: Domain is the secret server domain.
+ type: string
password:
description: Password is the secret server account password.
properties:
@@ -8265,6 +8790,12 @@
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
+ path:
+ default: cert
+ description: |-
+ Path where the Certificate authentication backend is mounted
+ in Vault, e.g: "cert"
+ type: string
secretRef:
description: |-
SecretRef to a key in a Secret resource containing client private key to
@@ -8801,6 +9332,18 @@
- name
- type
type: object
+ checkAndSet:
+ description: |-
+ CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
+ Only applies to Vault KV v2 stores. When enabled, write operations must include
+ the current version of the secret to prevent unintentional overwrites.
+ properties:
+ required:
+ description: |-
+ Required when true, all write operations must include a check-and-set parameter.
+ This helps prevent unintentional overwrites of secrets.
+ type: boolean
+ type: object
forwardInconsistent:
description: |-
ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
@@ -8916,6 +9459,112 @@
required:
- server
type: object
+ volcengine:
+ description: Volcengine configures this store to sync secrets using the
+ Volcengine provider
+ properties:
+ auth:
+ description: |-
+ Auth defines the authentication method to use.
+ If not specified, the provider will try to use IRSA (IAM Role for Service Account).
+ properties:
+ secretRef:
+ description: |-
+ SecretRef defines the static credentials to use for authentication.
+ If not set, IRSA is used.
+ properties:
+ accessKeyID:
+ description: AccessKeyID is the reference to the secret containing the Access
+ Key ID.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ secretAccessKey:
+ description: SecretAccessKey is the reference to the secret containing the
+ Secret Access Key.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ token:
+ description: Token is the reference to the secret containing the STS(Security
+ Token Service) Token.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ required:
+ - accessKeyID
+ - secretAccessKey
+ type: object
+ type: object
+ region:
+ description: Region specifies the Volcengine region to connect to.
+ type: string
+ required:
+ - region
+ type: object
webhook:
description: Webhook configures this store to sync secrets using a generic
templated webhook
@@ -9108,7 +9757,7 @@
type: string
auth:
description: Auth defines the information necessary to authenticate against
- Yandex Certificate Manager
+ Yandex.Cloud
properties:
authorizedKeySecretRef:
description: The authorized key used for authentication
@@ -9170,6 +9819,30 @@
type: string
type: object
type: object
+ fetching:
+ description: FetchingPolicy configures the provider to interpret the
+ `data.secretKey.remoteRef.key` field in
+ ExternalSecret as certificate ID or certificate name
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ byID:
+ description: ByID configures the provider to interpret the
+ `data.secretKey.remoteRef.key` field in
+ ExternalSecret as secret ID.
+ type: object
+ byName:
+ description: ByName configures the provider to interpret the
+ `data.secretKey.remoteRef.key` field in
+ ExternalSecret as secret name.
+ properties:
+ folderID:
+ description: The folder to fetch secrets from
+ type: string
+ required:
+ - folderID
+ type: object
+ type: object
required:
- auth
type: object
@@ -9182,7 +9855,7 @@
type: string
auth:
description: Auth defines the information necessary to authenticate against
- Yandex Lockbox
+ Yandex.Cloud
properties:
authorizedKeySecretRef:
description: The authorized key used for authentication
@@ -9244,6 +9917,30 @@
type: string
type: object
type: object
+ fetching:
+ description: FetchingPolicy configures the provider to interpret the
+ `data.secretKey.remoteRef.key` field in
+ ExternalSecret as secret ID or secret name
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ byID:
+ description: ByID configures the provider to interpret the
+ `data.secretKey.remoteRef.key` field in
+ ExternalSecret as secret ID.
+ type: object
+ byName:
+ description: ByName configures the provider to interpret the
+ `data.secretKey.remoteRef.key` field in
+ ExternalSecret as secret name.
+ properties:
+ folderID:
+ description: The folder to fetch secrets from
+ type: string
+ required:
+ - folderID
+ type: object
+ type: object
required:
- auth
type: object
@@ -13628,7 +14325,7 @@
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
+ controller-gen.kubebuilder.io/version: v0.19.0
name: ecrauthorizationtokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
@@ -13823,7 +14520,7 @@
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
+ controller-gen.kubebuilder.io/version: v0.19.0
name: externalsecrets.external-secrets.io
spec:
group: external-secrets.io
@@ -13958,6 +14655,7 @@
enum:
- ACRAccessToken
- ClusterGenerator
+ - CloudsmithAccessToken
- ECRAuthorizationToken
- Fake
- GCRAccessToken
@@ -14109,6 +14807,9 @@
conflictPolicy:
default: Error
description: Used to define the policy to use in conflict resolution.
+ enum:
+ - Ignore
+ - Error
type: string
into:
default: ""
@@ -14121,9 +14822,20 @@
items:
type: string
type: array
+ priorityPolicy:
+ default: Strict
+ description: Used to define the policy when a key in the priority list does not
+ exist in the input.
+ enum:
+ - IgnoreNotFound
+ - Strict
+ type: string
strategy:
default: Extract
description: Used to define the strategy to use in the merge operation.
+ enum:
+ - Extract
+ - JSON
type: string
type: object
regexp:
@@ -14179,6 +14891,7 @@
enum:
- ACRAccessToken
- ClusterGenerator
+ - CloudsmithAccessToken
- ECRAuthorizationToken
- Fake
- GCRAccessToken
@@ -14335,6 +15048,10 @@
additionalProperties:
type: string
type: object
+ finalizers:
+ items:
+ type: string
+ type: array
labels:
additionalProperties:
type: string
@@ -14455,6 +15172,9 @@
status:
type: string
type:
+ enum:
+ - Ready
+ - Deleted
type: string
required:
- status
@@ -14473,6 +15193,11 @@
type: string
type: object
type: object
+ selectableFields:
+ - jsonPath: .spec.secretStoreRef.name
+ - jsonPath: .spec.secretStoreRef.kind
+ - jsonPath: .spec.target.name
+ - jsonPath: .spec.refreshInterval
served: true
storage: true
subresources:
@@ -15097,7 +15822,7 @@
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
+ controller-gen.kubebuilder.io/version: v0.19.0
name: fakes.generators.external-secrets.io
spec:
group: generators.external-secrets.io
@@ -15163,7 +15888,7 @@
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
+ controller-gen.kubebuilder.io/version: v0.19.0
name: gcraccesstokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
@@ -15276,6 +16001,122 @@
- clusterName
- serviceAccountRef
type: object
+ workloadIdentityFederation:
+ description: GCPWorkloadIdentityFederation holds the configurations required for
+ generating federated access tokens.
+ properties:
+ audience:
+ description: |-
+ audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
+ If specified, Audience found in the external account credential config will be overridden with the configured value.
+ audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
+ type: string
+ awsSecurityCredentials:
+ description: |-
+ awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
+ when using the AWS metadata server is not an option.
+ properties:
+ awsCredentialsSecretRef:
+ description: |-
+ awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
+ Secret should be created with below names for keys
+ - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
+ - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
+ - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
+ properties:
+ name:
+ description: name of the secret.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: namespace in which the secret exists. If empty, secret will looked
+ up in local namespace.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ region:
+ description: region is for configuring the AWS region to be used.
+ example: ap-south-1
+ maxLength: 50
+ minLength: 1
+ pattern: ^[a-z0-9-]+$
+ type: string
+ required:
+ - awsCredentialsSecretRef
+ - region
+ type: object
+ credConfig:
+ description: |-
+ credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
+ For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
+ serviceAccountRef must be used by providing operators service account details.
+ properties:
+ key:
+ description: key name holding the external account credential config.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: name of the configmap.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*...*[Comment body truncated]* |
renovate
bot
force-pushed
the
renovate/external-secrets-0.x
branch
from
c1edb19 to
3146c87
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/external-secrets-0.x
branch
from
3146c87 to
a601878
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/external-secrets-0.x
branch
from
a601878 to
501a61d
Compare
renovate
bot
changed the title
| datasource | package | from | to | | ---------- | ---------------- | ------ | ------ | | helm | external-secrets | 0.19.2 | 0.20.4 | Signed-off-by: Roger Rumao <rogerrum@users.noreply.github.com>
renovate
bot
force-pushed
the
renovate/external-secrets-0.x
branch
from
501a61d to
d0208cb
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.19.2→0.20.4Release Notes
external-secrets/external-secrets (external-secrets)
v0.20.4Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v0.20.4Image:
ghcr.io/external-secrets/external-secrets:v0.20.4-ubiImage:
ghcr.io/external-secrets/external-secrets:v0.20.4-ubi-boringsslWhat's Changed
General
apiandcmdpackage by @Lumexralph in #5413Dependencies
534c2c0to2f698e1by @dependabot[bot] in #54524bcff63to4b7ce07by @dependabot[bot] in #545106083b7to5dc01dbby @dependabot[bot] in #5482New Contributors
Full Changelog: external-secrets/external-secrets@v0.20.3...v0.20.4
v0.20.3Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v0.20.3Image:
ghcr.io/external-secrets/external-secrets:v0.20.3-ubiImage:
ghcr.io/external-secrets/external-secrets:v0.20.3-ubi-boringsslWhat's Changed
General
pkgby @Lumexralph in #5412Dependencies
6ad9415toc423747in /e2e by @dependabot[bot] in #5423b6ed3fdtob6ed3fdby @dependabot[bot] in #5419New Contributors
Full Changelog: external-secrets/external-secrets@v0.20.2...v0.20.3
v0.20.2Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v0.20.2Image:
ghcr.io/external-secrets/external-secrets:v0.20.2-ubiImage:
ghcr.io/external-secrets/external-secrets:v0.20.2-ubi-boringsslWhat's Changed
General
enableby @Skarlso in #5369(pkg/providers)by @Lumexralph in #5362Dependencies
New Contributors
Full Changelog: external-secrets/external-secrets@v0.20.0...v0.20.2
v0.20.1Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v0.20.1Image:
ghcr.io/external-secrets/external-secrets:v0.20.1-ubiImage:
ghcr.io/external-secrets/external-secrets:v0.20.1-ubi-boringsslWhat's Changed
General
ADOPTERS.mdto include SAP by @jakobmoellerdev in #5165helm-values-schema-jsonschema plugin management logic by @jakobmoellerdev in #5212Dependencies
4f0a4e4to7010e70by @dependabot[bot] in #51937010e70to534c2c0by @dependabot[bot] in #52372e114d2tof2ff10aby @dependabot[bot] in #5240b6ed3fdtob6ed3fdby @dependabot[bot] in #5318f2ff10ato87bce11by @dependabot[bot] in #5320Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.