diff --git a/Makefile b/Makefile index ba51215..66d152f 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ # To re-generate a bundle for another specific version without changing the standard setup, you can: # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) -VERSION ?= 0.9.13 +VERSION ?= 0.9.14 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") diff --git a/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml b/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml index 59630d2..565ab6f 100644 --- a/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml +++ b/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml @@ -375,7 +375,7 @@ metadata: "kind": "ExternalSecret", "metadata": { "annotations": { - "acme.org/sha": "1234" + "acme.org/sha": 1234 }, "labels": { "acme.org/owned-by": "q-team" @@ -671,8 +671,8 @@ metadata: capabilities: Deep Insights categories: Security certified: "false" - containerImage: ghcr.io/external-secrets/external-secrets-helm-operator:v0.9.13 - createdAt: "2024-02-17T14:10:05Z" + containerImage: ghcr.io/external-secrets/external-secrets-helm-operator:v0.9.14 + createdAt: "2024-03-30T14:06:37Z" description: Operator to configure external-secrets helm-chart based operator operatorframework.io/cluster-monitoring: "true" operators.openshift.io/infrastructure-features: '["Disconnected"]' @@ -683,7 +683,7 @@ metadata: labels: operatorframework.io/arch.amd64: supported operatorframework.io/os.linux: supported - name: external-secrets-operator.v0.9.13 + name: external-secrets-operator.v0.9.14 namespace: external-secrets spec: apiservicedefinitions: {} @@ -972,7 +972,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - image: ghcr.io/external-secrets/external-secrets-helm-operator:v0.9.13 + image: ghcr.io/external-secrets/external-secrets-helm-operator:v0.9.14 livenessProbe: httpGet: path: /healthz @@ -1070,4 +1070,4 @@ spec: provider: name: External Secrets url: https://external-secrets.io - version: 0.9.13 + version: 0.9.14 diff --git a/bundle/manifests/external-secrets.io_clustersecretstores.yaml b/bundle/manifests/external-secrets.io_clustersecretstores.yaml index f785ce4..ff416fe 100644 --- a/bundle/manifests/external-secrets.io_clustersecretstores.yaml +++ b/bundle/manifests/external-secrets.io_clustersecretstores.yaml @@ -976,6 +976,49 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password + Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates + with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider @@ -2322,6 +2365,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -2585,6 +2633,37 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using + the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing + the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider @@ -2948,6 +3027,78 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets + using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for + the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates + with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached + to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within + a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets + should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider @@ -3123,6 +3274,49 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password + Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates + with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider @@ -3735,6 +3929,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. diff --git a/bundle/manifests/external-secrets.io_pushsecrets.yaml b/bundle/manifests/external-secrets.io_pushsecrets.yaml index 06f21d6..43d9405 100644 --- a/bundle/manifests/external-secrets.io_pushsecrets.yaml +++ b/bundle/manifests/external-secrets.io_pushsecrets.yaml @@ -277,6 +277,14 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible + Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -350,8 +358,9 @@ spec: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret - Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced diff --git a/bundle/manifests/external-secrets.io_secretstores.yaml b/bundle/manifests/external-secrets.io_secretstores.yaml index 45ad666..427bdaa 100644 --- a/bundle/manifests/external-secrets.io_secretstores.yaml +++ b/bundle/manifests/external-secrets.io_secretstores.yaml @@ -976,6 +976,49 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password + Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates + with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider @@ -2322,6 +2365,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -2585,6 +2633,37 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using + the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing + the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider @@ -2948,6 +3027,78 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets + using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for + the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates + with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached + to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within + a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets + should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider @@ -3123,6 +3274,49 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password + Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates + with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider @@ -3735,6 +3929,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. diff --git a/bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml b/bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml index a28ad71..69d3faa 100644 --- a/bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml +++ b/bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml @@ -502,6 +502,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 242284c..1f92fe9 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -13,4 +13,4 @@ kind: Kustomization images: - name: controller newName: ghcr.io/external-secrets/external-secrets-helm-operator - newTag: v0.9.13 + newTag: v0.9.14 diff --git a/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml b/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml index be0edc7..2c8f1e5 100644 --- a/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml @@ -6,7 +6,7 @@ metadata: capabilities: Deep Insights categories: Security certified: "false" - containerImage: ghcr.io/external-secrets/external-secrets-helm-operator:v0.9.13 + containerImage: ghcr.io/external-secrets/external-secrets-helm-operator:v0.9.14 createdAt: "2021-11-22 00:00:00" description: Operator to configure external-secrets helm-chart based operator operatorframework.io/cluster-monitoring: "true" diff --git a/config/manifests/crds/clustersecretstore.yml b/config/manifests/crds/clustersecretstore.yml index 74dd1b8..a774813 100644 --- a/config/manifests/crds/clustersecretstore.yml +++ b/config/manifests/crds/clustersecretstore.yml @@ -898,6 +898,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -2162,6 +2202,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -2405,6 +2450,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2736,6 +2809,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -2896,6 +3033,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: @@ -3468,6 +3645,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: diff --git a/config/manifests/crds/pushsecret.yml b/config/manifests/crds/pushsecret.yml index 0120590..9ef3160 100644 --- a/config/manifests/crds/pushsecret.yml +++ b/config/manifests/crds/pushsecret.yml @@ -259,6 +259,13 @@ spec: type: type: string type: object + updatePolicy: + default: Replace + description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".' + enum: + - Replace + - IfNotExists + type: string required: - secretStoreRefs - selector @@ -328,7 +335,9 @@ spec: - match type: object type: object - description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore. + description: |- + Synced PushSecrets, including secrets that already exist in provider. + Matches secret stores to PushSecretData that was stored to that secret store. type: object syncedResourceVersion: description: SyncedResourceVersion keeps track of the last synced version. diff --git a/config/manifests/crds/secretstore.yml b/config/manifests/crds/secretstore.yml index 840a6c5..34285ca 100644 --- a/config/manifests/crds/secretstore.yml +++ b/config/manifests/crds/secretstore.yml @@ -898,6 +898,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object vault: description: Vault configures this store to sync secrets using Hashi provider properties: @@ -2162,6 +2202,11 @@ spec: properties: account: type: string + hostId: + description: |- + Optional HostID for JWT authentication. This may be used depending + on how the Conjur JWT authenticator policy is configured. + type: string secretRef: description: |- Optional SecretRef that refers to a key in a Secret resource containing JWT token to @@ -2405,6 +2450,34 @@ spec: required: - data type: object + fortanix: + description: Fortanix configures this store to sync secrets using the Fortanix provider + properties: + apiKey: + description: APIKey is the API token to access SDKMS Applications. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the SDKMS API Key. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + apiUrl: + description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`. + type: string + type: object gcpsm: description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider properties: @@ -2736,6 +2809,70 @@ spec: required: - auth type: object + onboardbase: + description: Onboardbase configures this store to sync secrets using the Onboardbase provider + properties: + apiHost: + default: https://public.onboardbase.com/api/v1/ + description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/ + type: string + auth: + description: Auth configures how the Operator authenticates with the Onboardbase API + properties: + apiKeyRef: + description: |- + OnboardbaseAPIKey is the APIKey generated by an admin account. + It is used to recognize and authorize access to a project and environment within onboardbase + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + passcodeRef: + description: OnboardbasePasscode is the passcode attached to the API Key + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + required: + - apiKeyRef + - passcodeRef + type: object + environment: + default: development + description: Environment is the name of an environmnent within a project to pull the secrets from + type: string + project: + default: development + description: Project is an onboardbase project that the secrets should be pulled from + type: string + required: + - apiHost + - auth + - environment + - project + type: object onepassword: description: OnePassword configures this store to sync secrets using the 1Password Cloud provider properties: @@ -2896,6 +3033,46 @@ spec: - region - vault type: object + passworddepot: + description: Configures a store to sync secrets with a Password Depot instance. + properties: + auth: + description: Auth configures how secret-manager authenticates with a Password Depot instance. + properties: + secretRef: + properties: + credentials: + description: Username / Password is used for authentication. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + required: + - secretRef + type: object + database: + description: Database to use as source + type: string + host: + description: URL configures the Password Depot instance URL. + type: string + required: + - auth + - database + - host + type: object pulumi: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: @@ -3468,6 +3645,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: diff --git a/config/manifests/crds/vaultdynamicsecret.yml b/config/manifests/crds/vaultdynamicsecret.yml index 05a88d6..38a2582 100644 --- a/config/manifests/crds/vaultdynamicsecret.yml +++ b/config/manifests/crds/vaultdynamicsecret.yml @@ -469,6 +469,14 @@ spec: - path - username type: object + namespace: + description: |- + Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in. + Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + This will default to Vault.Namespace field if set, or empty otherwise + type: string tokenSecretRef: description: TokenSecretRef authenticates with Vault by presenting a token. properties: