diff --git a/docs/examples/src/charts/charts.k b/docs/examples/src/charts/charts.k index bc319dbf..d5a00c02 100644 --- a/docs/examples/src/charts/charts.k +++ b/docs/examples/src/charts/charts.k @@ -44,7 +44,7 @@ charts: helm.Charts = { chart = "external-secrets" repoURL = "https://charts.external-secrets.io/" schemaGenerator = "AUTO" - targetRevision = "0.20.4" + targetRevision = "1.1.1" crdGenerator = "TEMPLATE" values: { installCRDs = True diff --git a/docs/examples/src/charts/external_secrets/api/v1/external_secrets_io_v1_external_secret.k b/docs/examples/src/charts/external_secrets/api/v1/external_secrets_io_v1_external_secret.k index 036f6a85..257a0f78 100644 --- a/docs/examples/src/charts/external_secrets/api/v1/external_secrets_io_v1_external_secret.k +++ b/docs/examples/src/charts/external_secrets/api/v1/external_secrets_io_v1_external_secret.k @@ -45,12 +45,12 @@ schema ExternalSecretsIoV1ExternalSecretSpec: dataFrom : [ExternalSecretsIoV1ExternalSecretSpecDataFromItems0], default is Undefined, optional DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order - refreshInterval : str, default is "1h", optional + refreshInterval : str, default is "1h0m0s", optional RefreshInterval is the amount of time before the values are read again from the SecretStore provider, specified as Golang Duration strings. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - Example values: "1h", "2h30m", "10s" - May be set to zero to fetch and create it once. Defaults to 1h. + Example values: "1h0m0s", "2h30m0s", "10m0s" + May be set to "0s" to fetch and create it once. Defaults to 1h0m0s. refreshPolicy : str, default is Undefined, optional RefreshPolicy determines how the ExternalSecret should be refreshed: - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter @@ -64,7 +64,7 @@ schema ExternalSecretsIoV1ExternalSecretSpec: """ data?: [ExternalSecretsIoV1ExternalSecretSpecDataItems0] dataFrom?: [ExternalSecretsIoV1ExternalSecretSpecDataFromItems0] - refreshInterval?: str = "1h" + refreshInterval?: str = "1h0m0s" refreshPolicy?: "CreatedOnce" | "Periodic" | "OnChange" secretStoreRef?: ExternalSecretsIoV1ExternalSecretSpecSecretStoreRef target?: ExternalSecretsIoV1ExternalSecretSpecTarget @@ -435,6 +435,8 @@ schema ExternalSecretsIoV1ExternalSecretSpecTarget: Defaults to "Retain" immutable : bool, default is Undefined, optional Immutable defines if the final secret will be immutable + manifest : ExternalSecretsIoV1ExternalSecretSpecTargetManifest, default is Undefined, optional + manifest name : str, default is Undefined, optional The name of the Secret resource to be managed. Defaults to the .metadata.name of the ExternalSecret resource @@ -444,6 +446,7 @@ schema ExternalSecretsIoV1ExternalSecretSpecTarget: creationPolicy?: "Owner" | "Orphan" | "Merge" | "None" = "Owner" deletionPolicy?: "Delete" | "Merge" | "Retain" = "Retain" immutable?: bool + manifest?: ExternalSecretsIoV1ExternalSecretSpecTargetManifest name?: str template?: ExternalSecretsIoV1ExternalSecretSpecTargetTemplate @@ -452,6 +455,28 @@ schema ExternalSecretsIoV1ExternalSecretSpecTarget: len(name) >= 1 if name _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") if name +schema ExternalSecretsIoV1ExternalSecretSpecTargetManifest: + r""" + Manifest defines a custom Kubernetes resource to create instead of a Secret. + When specified, ExternalSecret will create the resource type defined here + (e.g., ConfigMap, Custom Resource) instead of a Secret. + Warning: Using Generic target. Make sure access policies and encryption are properly configured. + + Attributes + ---------- + apiVersion : str, default is Undefined, required + APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application) + kind : str, default is Undefined, required + Kind of the target resource (e.g., "ConfigMap", "Application") + """ + apiVersion: str + + kind: str + + check: + len(apiVersion) >= 1 + len(kind) >= 1 + schema ExternalSecretsIoV1ExternalSecretSpecTargetTemplate: r""" Template defines a blueprint for the created Secret resource. @@ -511,12 +536,15 @@ schema ExternalSecretsIoV1ExternalSecretSpecTargetTemplateTemplateFromItems0: secret : ExternalSecretsIoV1ExternalSecretSpecTargetTemplateTemplateFromItems0Secret, default is Undefined, optional secret target : str, default is "Data", optional - TemplateTarget specifies where the rendered templates should be applied. + Target specifies where to place the template result. + For Secret resources, common values are: "Data", "Annotations", "Labels". + For custom resources (when spec.target.manifest is set), this supports + nested paths like "spec.database.config" or "data". """ configMap?: ExternalSecretsIoV1ExternalSecretSpecTargetTemplateTemplateFromItems0ConfigMap literal?: str secret?: ExternalSecretsIoV1ExternalSecretSpecTargetTemplateTemplateFromItems0Secret - target?: "Data" | "Annotations" | "Labels" = "Data" + target?: str = "Data" schema ExternalSecretsIoV1ExternalSecretSpecTargetTemplateTemplateFromItems0ConfigMap: r""" diff --git a/docs/examples/src/charts/external_secrets/api/v1/external_secrets_io_v1_secret_store.k b/docs/examples/src/charts/external_secrets/api/v1/external_secrets_io_v1_secret_store.k index bddf85f0..8754c872 100644 --- a/docs/examples/src/charts/external_secrets/api/v1/external_secrets_io_v1_secret_store.k +++ b/docs/examples/src/charts/external_secrets/api/v1/external_secrets_io_v1_secret_store.k @@ -2809,9 +2809,12 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderIbmAuthSecretRef: Attributes ---------- + iamEndpoint : str, default is Undefined, optional + The IAM endpoint used to obain a token secretApiKeySecretRef : ExternalSecretsIoV1SecretStoreSpecProviderIbmAuthSecretRefSecretAPIKeySecretRef, default is Undefined, optional secret Api key secret ref """ + iamEndpoint?: str secretApiKeySecretRef?: ExternalSecretsIoV1SecretStoreSpecProviderIbmAuthSecretRefSecretAPIKeySecretRef schema ExternalSecretsIoV1SecretStoreSpecProviderIbmAuthSecretRefSecretAPIKeySecretRef: @@ -5021,6 +5024,12 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderSecretserver: Attributes ---------- + caBundle : str, default is Undefined, optional + PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used + if the ServerURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. + caProvider : ExternalSecretsIoV1SecretStoreSpecProviderSecretserverCaProvider, default is Undefined, optional + ca provider domain : str, default is Undefined, optional Domain is the secret server domain. password : ExternalSecretsIoV1SecretStoreSpecProviderSecretserverPassword, default is Undefined, required @@ -5031,6 +5040,8 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderSecretserver: username : ExternalSecretsIoV1SecretStoreSpecProviderSecretserverUsername, default is Undefined, required username """ + caBundle?: str + caProvider?: ExternalSecretsIoV1SecretStoreSpecProviderSecretserverCaProvider domain?: str password: ExternalSecretsIoV1SecretStoreSpecProviderSecretserverPassword @@ -5038,6 +5049,39 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderSecretserver: username: ExternalSecretsIoV1SecretStoreSpecProviderSecretserverUsername +schema ExternalSecretsIoV1SecretStoreSpecProviderSecretserverCaProvider: + r""" + The provider for the CA bundle to use to validate Secret ServerURL certificate. + + Attributes + ---------- + key : str, default is Undefined, optional + The key where the CA certificate can be found in the Secret or ConfigMap. + name : str, default is Undefined, required + The name of the object located at the provider type. + namespace : str, default is Undefined, optional + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + $type : str, default is Undefined, required + The type of provider to use such as "Secret", or "ConfigMap". + """ + key?: str + name: str + + namespace?: str + $type: "Secret" | "ConfigMap" + + check: + len(key) <= 253 if key + len(key) >= 1 if key + _regex_match(str(key), r"^[-._a-zA-Z0-9]+$") if key + len(name) <= 253 + len(name) >= 1 + _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + len(namespace) <= 63 if namespace + len(namespace) >= 1 if namespace + _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace + schema ExternalSecretsIoV1SecretStoreSpecProviderSecretserverPassword: r""" Password is the secret server account password. @@ -5264,6 +5308,8 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuth: app role cert : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthCert, default is Undefined, optional cert + gcp : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcp, default is Undefined, optional + gcp iam : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthIam, default is Undefined, optional iam jwt : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthJwt, default is Undefined, optional @@ -5285,6 +5331,7 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuth: """ appRole?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthAppRole cert?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthCert + gcp?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcp iam?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthIam jwt?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthJwt kubernetes?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthKubernetes @@ -5464,6 +5511,159 @@ schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthCertSecretRef: len(namespace) >= 1 if namespace _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace +schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcp: + r""" + Gcp authenticates with Vault using Google Cloud Platform authentication method + GCP authentication method + + Attributes + ---------- + location : str, default is Undefined, optional + Location optionally defines a location/region for the secret + path : str, default is "gcp", optional + Path where the GCP auth method is enabled in Vault, e.g: "gcp" + projectID : str, default is Undefined, optional + Project ID of the Google Cloud Platform project + role : str, default is Undefined, required + Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine. + secretRef : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpSecretRef, default is Undefined, optional + secret ref + serviceAccountRef : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpServiceAccountRef, default is Undefined, optional + service account ref + workloadIdentity : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpWorkloadIdentity, default is Undefined, optional + workload identity + """ + location?: str + path?: str = "gcp" + projectID?: str + role: str + + secretRef?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpSecretRef + serviceAccountRef?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpServiceAccountRef + workloadIdentity?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpWorkloadIdentity + +schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpSecretRef: + r""" + Specify credentials in a Secret object + + Attributes + ---------- + secretAccessKeySecretRef : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpSecretRefSecretAccessKeySecretRef, default is Undefined, optional + secret access key secret ref + """ + secretAccessKeySecretRef?: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpSecretRefSecretAccessKeySecretRef + +schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpSecretRefSecretAccessKeySecretRef: + r""" + The SecretAccessKey is used for authentication + + Attributes + ---------- + key : str, default is Undefined, optional + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + name : str, default is Undefined, optional + The name of the Secret resource being referred to. + namespace : str, default is Undefined, optional + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + """ + key?: str + name?: str + namespace?: str + + check: + len(key) <= 253 if key + len(key) >= 1 if key + _regex_match(str(key), r"^[-._a-zA-Z0-9]+$") if key + len(name) <= 253 if name + len(name) >= 1 if name + _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") if name + len(namespace) <= 63 if namespace + len(namespace) >= 1 if namespace + _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace + +schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpServiceAccountRef: + r""" + ServiceAccountRef to a service account for impersonation + + Attributes + ---------- + audiences : [str], default is Undefined, optional + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list + name : str, default is Undefined, required + The name of the ServiceAccount resource being referred to. + namespace : str, default is Undefined, optional + Namespace of the resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + """ + audiences?: [str] + name: str + + namespace?: str + + check: + len(name) <= 253 + len(name) >= 1 + _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + len(namespace) <= 63 if namespace + len(namespace) >= 1 if namespace + _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace + +schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpWorkloadIdentity: + r""" + Specify a service account with Workload Identity + + Attributes + ---------- + clusterLocation : str, default is Undefined, optional + ClusterLocation is the location of the cluster + If not specified, it fetches information from the metadata server + clusterName : str, default is Undefined, optional + ClusterName is the name of the cluster + If not specified, it fetches information from the metadata server + clusterProjectID : str, default is Undefined, optional + ClusterProjectID is the project ID of the cluster + If not specified, it fetches information from the metadata server + serviceAccountRef : ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpWorkloadIdentityServiceAccountRef, default is Undefined, required + service account ref + """ + clusterLocation?: str + clusterName?: str + clusterProjectID?: str + serviceAccountRef: ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpWorkloadIdentityServiceAccountRef + +schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthGcpWorkloadIdentityServiceAccountRef: + r""" + ServiceAccountSelector is a reference to a ServiceAccount resource. + + Attributes + ---------- + audiences : [str], default is Undefined, optional + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list + name : str, default is Undefined, required + The name of the ServiceAccount resource being referred to. + namespace : str, default is Undefined, optional + Namespace of the resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + """ + audiences?: [str] + name: str + + namespace?: str + + check: + len(name) <= 253 + len(name) >= 1 + _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + len(namespace) <= 63 if namespace + len(namespace) >= 1 if namespace + _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace + schema ExternalSecretsIoV1SecretStoreSpecProviderVaultAuthIam: r""" Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials diff --git a/docs/examples/src/charts/external_secrets/api/v1alpha1/external_secrets_io_v1alpha1_cluster_push_secret.k b/docs/examples/src/charts/external_secrets/api/v1alpha1/external_secrets_io_v1alpha1_cluster_push_secret.k index e19d9ce3..30171d09 100644 --- a/docs/examples/src/charts/external_secrets/api/v1alpha1/external_secrets_io_v1alpha1_cluster_push_secret.k +++ b/docs/examples/src/charts/external_secrets/api/v1alpha1/external_secrets_io_v1alpha1_cluster_push_secret.k @@ -129,7 +129,7 @@ schema ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpec: Secret Data that should be pushed to providers deletionPolicy : str, default is "None", optional Deletion Policy to handle Secrets in the provider. - refreshInterval : str, default is "1h", optional + refreshInterval : str, default is "1h0m0s", optional The Interval to which External Secrets will try to push a secret definition secretStoreRefs : [ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecSecretStoreRefsItems0], default is Undefined, required secret store refs @@ -142,7 +142,7 @@ schema ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpec: """ data?: [ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecDataItems0] deletionPolicy?: "Delete" | "None" = "None" - refreshInterval?: str = "1h" + refreshInterval?: str = "1h0m0s" secretStoreRefs: [ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecSecretStoreRefsItems0] selector: ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecSelector @@ -416,12 +416,15 @@ schema ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecTemplateTempl secret : ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecTemplateTemplateFromItems0Secret, default is Undefined, optional secret target : str, default is "Data", optional - TemplateTarget specifies where the rendered templates should be applied. + Target specifies where to place the template result. + For Secret resources, common values are: "Data", "Annotations", "Labels". + For custom resources (when spec.target.manifest is set), this supports + nested paths like "spec.database.config" or "data". """ configMap?: ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecTemplateTemplateFromItems0ConfigMap literal?: str secret?: ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecTemplateTemplateFromItems0Secret - target?: "Data" | "Annotations" | "Labels" = "Data" + target?: str = "Data" schema ExternalSecretsIoV1alpha1ClusterPushSecretSpecPushSecretSpecTemplateTemplateFromItems0ConfigMap: r""" diff --git a/docs/examples/src/charts/external_secrets/api/v1alpha1/external_secrets_io_v1alpha1_push_secret.k b/docs/examples/src/charts/external_secrets/api/v1alpha1/external_secrets_io_v1alpha1_push_secret.k index f7f0552b..136037f8 100644 --- a/docs/examples/src/charts/external_secrets/api/v1alpha1/external_secrets_io_v1alpha1_push_secret.k +++ b/docs/examples/src/charts/external_secrets/api/v1alpha1/external_secrets_io_v1alpha1_push_secret.k @@ -43,7 +43,7 @@ schema ExternalSecretsIoV1alpha1PushSecretSpec: Secret Data that should be pushed to providers deletionPolicy : str, default is "None", optional Deletion Policy to handle Secrets in the provider. - refreshInterval : str, default is "1h", optional + refreshInterval : str, default is "1h0m0s", optional The Interval to which External Secrets will try to push a secret definition secretStoreRefs : [ExternalSecretsIoV1alpha1PushSecretSpecSecretStoreRefsItems0], default is Undefined, required secret store refs @@ -56,7 +56,7 @@ schema ExternalSecretsIoV1alpha1PushSecretSpec: """ data?: [ExternalSecretsIoV1alpha1PushSecretSpecDataItems0] deletionPolicy?: "Delete" | "None" = "None" - refreshInterval?: str = "1h" + refreshInterval?: str = "1h0m0s" secretStoreRefs: [ExternalSecretsIoV1alpha1PushSecretSpecSecretStoreRefsItems0] selector: ExternalSecretsIoV1alpha1PushSecretSpecSelector @@ -330,12 +330,15 @@ schema ExternalSecretsIoV1alpha1PushSecretSpecTemplateTemplateFromItems0: secret : ExternalSecretsIoV1alpha1PushSecretSpecTemplateTemplateFromItems0Secret, default is Undefined, optional secret target : str, default is "Data", optional - TemplateTarget specifies where the rendered templates should be applied. + Target specifies where to place the template result. + For Secret resources, common values are: "Data", "Annotations", "Labels". + For custom resources (when spec.target.manifest is set), this supports + nested paths like "spec.database.config" or "data". """ configMap?: ExternalSecretsIoV1alpha1PushSecretSpecTemplateTemplateFromItems0ConfigMap literal?: str secret?: ExternalSecretsIoV1alpha1PushSecretSpecTemplateTemplateFromItems0Secret - target?: "Data" | "Annotations" | "Labels" = "Data" + target?: str = "Data" schema ExternalSecretsIoV1alpha1PushSecretSpecTemplateTemplateFromItems0ConfigMap: r""" diff --git a/docs/examples/src/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_password.k b/docs/examples/src/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_password.k index 99d5471b..e39b7ec3 100644 --- a/docs/examples/src/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_password.k +++ b/docs/examples/src/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_password.k @@ -53,6 +53,9 @@ schema GeneratorsExternalSecretsIoV1alpha1PasswordSpec: Defaults to 24 noUpper : bool, default is Undefined, required Set NoUpper to disable uppercase characters + secretKeys : [str], default is Undefined, optional + SecretKeys defines the keys that will be populated with generated passwords. + Defaults to "password" when not set. symbolCharacters : str, default is Undefined, optional SymbolCharacters specifies the special characters that should be used in the generated password. @@ -68,6 +71,10 @@ schema GeneratorsExternalSecretsIoV1alpha1PasswordSpec: noUpper: bool = False + secretKeys?: [str] symbolCharacters?: str symbols?: int + check: + len(secretKeys) >= 1 if secretKeys + diff --git a/docs/examples/src/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_ssh_key.k b/docs/examples/src/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_ssh_key.k index e71d3aa6..4998466f 100644 --- a/docs/examples/src/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_ssh_key.k +++ b/docs/examples/src/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_ssh_key.k @@ -36,15 +36,16 @@ schema GeneratorsExternalSecretsIoV1alpha1SSHKeySpec: comment : str, default is Undefined, optional Comment specifies an optional comment for the SSH key keySize : int, default is Undefined, optional - KeySize specifies the key size for RSA keys (default: 2048) + KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256). For RSA keys: 2048, 3072, 4096 + For ECDSA keys: 256, 384, 521 Ignored for ed25519 keys keyType : str, default is "rsa", optional - KeyType specifies the SSH key type (rsa, ed25519) + KeyType specifies the SSH key type (rsa, ecdsa, ed25519) """ comment?: str keySize?: int - keyType?: "rsa" | "ed25519" = "rsa" + keyType?: "rsa" | "ecdsa" | "ed25519" = "rsa" check: keySize <= 8192 if keySize not in [None, Undefined] diff --git a/docs/examples/src/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_vault_dynamic_secret.k b/docs/examples/src/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_vault_dynamic_secret.k index 5bdeea4c..0a111c0b 100644 --- a/docs/examples/src/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_vault_dynamic_secret.k +++ b/docs/examples/src/charts/external_secrets/api/v1alpha1/generators_external_secrets_io_v1alpha1_vault_dynamic_secret.k @@ -140,6 +140,8 @@ schema GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuth: app role cert : GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthCert, default is Undefined, optional cert + gcp : GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcp, default is Undefined, optional + gcp iam : GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthIam, default is Undefined, optional iam jwt : GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthJwt, default is Undefined, optional @@ -161,6 +163,7 @@ schema GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuth: """ appRole?: GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthAppRole cert?: GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthCert + gcp?: GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcp iam?: GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthIam jwt?: GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthJwt kubernetes?: GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthKubernetes @@ -340,6 +343,159 @@ schema GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthCert len(namespace) >= 1 if namespace _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace +schema GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcp: + r""" + Gcp authenticates with Vault using Google Cloud Platform authentication method + GCP authentication method + + Attributes + ---------- + location : str, default is Undefined, optional + Location optionally defines a location/region for the secret + path : str, default is "gcp", optional + Path where the GCP auth method is enabled in Vault, e.g: "gcp" + projectID : str, default is Undefined, optional + Project ID of the Google Cloud Platform project + role : str, default is Undefined, required + Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine. + secretRef : GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpSecretRef, default is Undefined, optional + secret ref + serviceAccountRef : GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpServiceAccountRef, default is Undefined, optional + service account ref + workloadIdentity : GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpWorkloadIdentity, default is Undefined, optional + workload identity + """ + location?: str + path?: str = "gcp" + projectID?: str + role: str + + secretRef?: GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpSecretRef + serviceAccountRef?: GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpServiceAccountRef + workloadIdentity?: GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpWorkloadIdentity + +schema GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpSecretRef: + r""" + Specify credentials in a Secret object + + Attributes + ---------- + secretAccessKeySecretRef : GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpSecretRefSecretAccessKeySecretRef, default is Undefined, optional + secret access key secret ref + """ + secretAccessKeySecretRef?: GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpSecretRefSecretAccessKeySecretRef + +schema GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpSecretRefSecretAccessKeySecretRef: + r""" + The SecretAccessKey is used for authentication + + Attributes + ---------- + key : str, default is Undefined, optional + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + name : str, default is Undefined, optional + The name of the Secret resource being referred to. + namespace : str, default is Undefined, optional + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + """ + key?: str + name?: str + namespace?: str + + check: + len(key) <= 253 if key + len(key) >= 1 if key + _regex_match(str(key), r"^[-._a-zA-Z0-9]+$") if key + len(name) <= 253 if name + len(name) >= 1 if name + _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") if name + len(namespace) <= 63 if namespace + len(namespace) >= 1 if namespace + _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace + +schema GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpServiceAccountRef: + r""" + ServiceAccountRef to a service account for impersonation + + Attributes + ---------- + audiences : [str], default is Undefined, optional + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list + name : str, default is Undefined, required + The name of the ServiceAccount resource being referred to. + namespace : str, default is Undefined, optional + Namespace of the resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + """ + audiences?: [str] + name: str + + namespace?: str + + check: + len(name) <= 253 + len(name) >= 1 + _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + len(namespace) <= 63 if namespace + len(namespace) >= 1 if namespace + _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace + +schema GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpWorkloadIdentity: + r""" + Specify a service account with Workload Identity + + Attributes + ---------- + clusterLocation : str, default is Undefined, optional + ClusterLocation is the location of the cluster + If not specified, it fetches information from the metadata server + clusterName : str, default is Undefined, optional + ClusterName is the name of the cluster + If not specified, it fetches information from the metadata server + clusterProjectID : str, default is Undefined, optional + ClusterProjectID is the project ID of the cluster + If not specified, it fetches information from the metadata server + serviceAccountRef : GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpWorkloadIdentityServiceAccountRef, default is Undefined, required + service account ref + """ + clusterLocation?: str + clusterName?: str + clusterProjectID?: str + serviceAccountRef: GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpWorkloadIdentityServiceAccountRef + +schema GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthGcpWorkloadIdentityServiceAccountRef: + r""" + ServiceAccountSelector is a reference to a ServiceAccount resource. + + Attributes + ---------- + audiences : [str], default is Undefined, optional + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list + name : str, default is Undefined, required + The name of the ServiceAccount resource being referred to. + namespace : str, default is Undefined, optional + Namespace of the resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + """ + audiences?: [str] + name: str + + namespace?: str + + check: + len(name) <= 253 + len(name) >= 1 + _regex_match(str(name), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") + len(namespace) <= 63 if namespace + len(namespace) >= 1 if namespace + _regex_match(str(namespace), r"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$") if namespace + schema GeneratorsExternalSecretsIoV1alpha1VaultDynamicSecretSpecProviderAuthIam: r""" Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials diff --git a/docs/examples/src/charts/external_secrets/api/v1beta1/external_secrets_io_v1beta1_external_secret.k b/docs/examples/src/charts/external_secrets/api/v1beta1/external_secrets_io_v1beta1_external_secret.k index 9f1c1b5e..3e56bd35 100644 --- a/docs/examples/src/charts/external_secrets/api/v1beta1/external_secrets_io_v1beta1_external_secret.k +++ b/docs/examples/src/charts/external_secrets/api/v1beta1/external_secrets_io_v1beta1_external_secret.k @@ -44,12 +44,12 @@ schema ExternalSecretsIoV1beta1ExternalSecretSpec: dataFrom : [ExternalSecretsIoV1beta1ExternalSecretSpecDataFromItems0], default is Undefined, optional DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order - refreshInterval : str, default is "1h", optional + refreshInterval : str, default is "1h0m0s", optional RefreshInterval is the amount of time before the values are read again from the SecretStore provider, specified as Golang Duration strings. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" - Example values: "1h", "2h30m", "10s" - May be set to zero to fetch and create it once. Defaults to 1h. + Example values: "1h0m0s", "2h30m0s", "10m0s" + May be set to "0s" to fetch and create it once. Defaults to 1h0m0s. refreshPolicy : str, default is Undefined, optional RefreshPolicy determines how the ExternalSecret should be refreshed: - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter @@ -63,7 +63,7 @@ schema ExternalSecretsIoV1beta1ExternalSecretSpec: """ data?: [ExternalSecretsIoV1beta1ExternalSecretSpecDataItems0] dataFrom?: [ExternalSecretsIoV1beta1ExternalSecretSpecDataFromItems0] - refreshInterval?: str = "1h" + refreshInterval?: str = "1h0m0s" refreshPolicy?: "CreatedOnce" | "Periodic" | "OnChange" secretStoreRef?: ExternalSecretsIoV1beta1ExternalSecretSpecSecretStoreRef target?: ExternalSecretsIoV1beta1ExternalSecretSpecTarget diff --git a/docs/examples/src/charts/external_secrets/chart.k b/docs/examples/src/charts/external_secrets/chart.k index f999881e..7528d341 100644 --- a/docs/examples/src/charts/external_secrets/chart.k +++ b/docs/examples/src/charts/external_secrets/chart.k @@ -14,10 +14,10 @@ schema Chart(helm.Chart): values : Values | any, optional, default is {crds = {createClusterExternalSecret = False, createClusterGenerator = False, createClusterSecretStore = False, createPushSecret = True}, installCRDs = True} chart : str, required, default is "external-secrets" repoURL : str, required, default is "https://charts.external-secrets.io/" - targetRevision : str, optional, default is "0.20.4" + targetRevision : str, optional, default is "1.1.1" """ values?: Values | any = {crds = {createClusterExternalSecret = False, createClusterGenerator = False, createClusterSecretStore = False, createPushSecret = True}, installCRDs = True} chart: str = "external-secrets" repoURL: str = "https://charts.external-secrets.io/" - targetRevision?: str = "0.20.4" + targetRevision?: str = "1.1.1" diff --git a/docs/examples/src/charts/external_secrets/values.schema.json b/docs/examples/src/charts/external_secrets/values.schema.json index e6a46fc5..b212bd2a 100644 --- a/docs/examples/src/charts/external_secrets/values.schema.json +++ b/docs/examples/src/charts/external_secrets/values.schema.json @@ -436,6 +436,20 @@ "required": [], "type": "string" }, + "genericTargets": { + "properties": { + "enabled": { + "required": [], + "type": "boolean" + }, + "resources": { + "required": [], + "type": "array" + } + }, + "required": [], + "type": "object" + }, "global": { "properties": { "affinity": { diff --git a/docs/examples/src/charts/external_secrets/values.schema.k b/docs/examples/src/charts/external_secrets/values.schema.k index 771a5a4f..770d4c36 100644 --- a/docs/examples/src/charts/external_secrets/values.schema.k +++ b/docs/examples/src/charts/external_secrets/values.schema.k @@ -30,6 +30,7 @@ schema Values: extraVolumeMounts : any, optional extraVolumes : any, optional fullnameOverride : str, optional + genericTargets : ValuesGenericTargets, optional global : ValuesGlobal, optional grafanaDashboard : ValuesGrafanaDashboard, optional hostNetwork : bool, optional @@ -92,6 +93,7 @@ schema Values: extraVolumeMounts?: any extraVolumes?: any fullnameOverride?: str + genericTargets?: ValuesGenericTargets global?: ValuesGlobal grafanaDashboard?: ValuesGrafanaDashboard hostNetwork?: bool @@ -533,6 +535,18 @@ schema ValuesExtraArgs: """ [...str]: any +schema ValuesGenericTargets: + r""" + ValuesGenericTargets + + Attributes + ---------- + enabled : bool, optional + resources : any, optional + """ + enabled?: bool + resources?: any + schema ValuesGlobal: r""" ValuesGlobal