From bcadf1fe87e3f80108d112b7cba033853149a12b Mon Sep 17 00:00:00 2001 From: svcAPLBot <174728082+svcAPLBot@users.noreply.github.com> Date: Sat, 27 Jun 2026 01:22:25 +0000 Subject: [PATCH] chore(chart-deps): update external-secrets to version 2.7.0 --- chart/chart-index/Chart.yaml | 2 +- charts/external-secrets/Chart.yaml | 4 +- charts/external-secrets/README.md | 3 +- ...trustworkloadcredentialsdynamicsecret.yaml | 214 ++++++ .../crds/clustersecretstore.yaml | 395 +++++++++++ .../external-secrets/crds/externalsecret.yaml | 61 +- charts/external-secrets/crds/pushsecret.yaml | 638 ------------------ charts/external-secrets/crds/secretstore.yaml | 395 +++++++++++ .../external-secrets/templates/_helpers.tpl | 14 + .../templates/cert-controller-deployment.yaml | 2 +- .../cert-controller-poddisruptionbudget.yaml | 4 +- .../templates/cert-controller-rbac.yaml | 18 + .../templates/cert-controller-service.yaml | 2 +- ...trustworkloadcredentialsdynamicsecret.yaml | 220 ++++++ .../templates/crds/clusterexternalsecret.yaml | 61 +- .../templates/crds/clustergenerator.yaml | 162 +++++ .../templates/crds/clusterpushsecret.yaml | 10 + .../templates/crds/clustersecretstore.yaml | 395 +++++++++++ .../templates/crds/externalsecret.yaml | 61 +- .../templates/crds/pushsecret.yaml | 10 + .../templates/crds/secretstore.yaml | 395 +++++++++++ .../templates/deployment.yaml | 3 + .../templates/poddisruptionbudget.yaml | 4 +- charts/external-secrets/templates/rbac.yaml | 3 + .../external-secrets/templates/service.yaml | 2 +- .../templates/validatingwebhook.yaml | 6 +- .../templates/webhook-certificate.yaml | 8 +- .../templates/webhook-deployment.yaml | 2 +- .../webhook-poddisruptionbudget.yaml | 4 +- .../templates/webhook-service.yaml | 2 +- charts/external-secrets/values.schema.json | 3 + charts/external-secrets/values.yaml | 3 + 32 files changed, 2437 insertions(+), 669 deletions(-) create mode 100644 charts/external-secrets/crds/beyondtrustworkloadcredentialsdynamicsecret.yaml delete mode 100644 charts/external-secrets/crds/pushsecret.yaml create mode 100644 charts/external-secrets/templates/crds/beyondtrustworkloadcredentialsdynamicsecret.yaml diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 070acce3e9..3ac6e83166 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -32,7 +32,7 @@ dependencies: version: 1.21.1 repository: https://kubernetes-sigs.github.io/external-dns - name: external-secrets - version: 2.5.0 + version: 2.7.0 repository: https://charts.external-secrets.io - name: gitea version: 12.6.0 diff --git a/charts/external-secrets/Chart.yaml b/charts/external-secrets/Chart.yaml index 71072e27e4..bd863d000f 100644 --- a/charts/external-secrets/Chart.yaml +++ b/charts/external-secrets/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: v2.5.0 +appVersion: v2.7.0 dependencies: - condition: bitwarden-sdk-server.enabled name: bitwarden-sdk-server @@ -17,4 +17,4 @@ maintainers: name: mcavoyk name: external-secrets type: application -version: 2.5.0 +version: 2.7.0 diff --git a/charts/external-secrets/README.md b/charts/external-secrets/README.md index 28353ff2a9..7803dca38a 100644 --- a/charts/external-secrets/README.md +++ b/charts/external-secrets/README.md @@ -4,7 +4,7 @@ [//]: # (README.md generated by gotmpl. DO NOT EDIT.) -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.7.0](https://img.shields.io/badge/Version-2.7.0-informational?style=flat-square) External secrets management for Kubernetes @@ -243,6 +243,7 @@ The command removes all the Kubernetes components associated with the chart and | serviceMonitor.relabelings | list | `[]` | Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) | | serviceMonitor.renderMode | string | `"skipIfMissing"` | How should we react to missing CRD "`monitoring.coreos.com/v1/ServiceMonitor`" Possible values: - `skipIfMissing`: Only render ServiceMonitor resources if CRD is present, skip if missing. - `failIfMissing`: Fail Helm install if CRD is not present. - `alwaysRender` : Always render ServiceMonitor resources, do not check for CRD. @schema enum: - skipIfMissing - failIfMissing - alwaysRender @schema | | serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval | +| storeRequeueInterval | string | `""` | Default time duration between reconciling (Cluster)SecretStores. | | strategy | object | `{}` | Set deployment strategy | | systemAuthDelegator | bool | `false` | If true the system:auth-delegator ClusterRole will be added to RBAC | | tolerations | list | `[]` | | diff --git a/charts/external-secrets/crds/beyondtrustworkloadcredentialsdynamicsecret.yaml b/charts/external-secrets/crds/beyondtrustworkloadcredentialsdynamicsecret.yaml new file mode 100644 index 0000000000..60c12c1171 --- /dev/null +++ b/charts/external-secrets/crds/beyondtrustworkloadcredentialsdynamicsecret.yaml @@ -0,0 +1,214 @@ +--- +# Source: external-secrets/templates/crds/beyondtrustworkloadcredentialsdynamicsecret.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + labels: + external-secrets.io/component: controller + name: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - external-secrets + - external-secrets-generators + kind: BeyondtrustWorkloadCredentialsDynamicSecret + listKind: BeyondtrustWorkloadCredentialsDynamicSecretList + plural: beyondtrustworkloadcredentialsdynamicsecrets + singular: beyondtrustworkloadcredentialsdynamicsecret + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials. + This generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials + (such as AWS STS credentials) each time an ExternalSecret is refreshed. + Dynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced. + For complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator. + This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials. + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + controller: + description: |- + Controller selects the controller that should handle this generator. + Leave empty to use the default controller. + type: string + provider: + description: |- + Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication, + server connection details, and the folder path to the dynamic secret definition. + The folderPath should point to a dynamic secret definition that has been created in + BeyondTrust Workload Credentials (e.g., "production/aws-temp"). + For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + auth: + description: |- + Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API. + Currently supports API key authentication via Kubernetes secret reference. + For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + apikey: + description: |- + APIKey configures API token authentication for BeyondTrust Workload Credentials. + The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests. + properties: + token: + description: |- + Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token. + The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials. + Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret. + For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + required: + - token + type: object + required: + - apikey + type: object + caBundle: + description: |- + CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this when your BeyondTrust instance uses a self-signed certificate or internal CA. + If not set, the system's trusted root certificates are used. + format: byte + type: string + caProvider: + description: |- + CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate. + This is used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the object located at the provider type. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + folderPath: + description: |- + FolderPath specifies the default folder path for secret retrieval. + Secrets will be fetched from this folder unless overridden in the ExternalSecret spec. + Example: "production/database" or "dev/api-keys" + Leave empty to retrieve secrets from the root folder. + For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders + type: string + server: + description: |- + Server configures the BeyondTrust Workload Credentials server connection details. + Includes the API URL and Site ID for your BeyondTrust instance. + For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + apiUrl: + description: |- + APIURL is the base URL of your BeyondTrust Workload Credentials API server. + This should be the full URL to your BeyondTrust instance. + Example: https://api.beyondtrust.io/siie + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url + type: string + siteId: + description: |- + SiteID is your BeyondTrust Workload Credentials site identifier (UUID format). + This identifier is unique to your BeyondTrust Workload Credentials instance. + You can find your Site ID in the BeyondTrust Workload Credentials admin console. + Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890 + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + type: string + required: + - apiUrl + - siteId + type: object + required: + - auth + - server + type: object + retrySettings: + description: |- + RetrySettings configures exponential backoff for failed API requests. + If not specified, uses the default retry settings. + properties: + maxRetries: + format: int32 + type: integer + retryInterval: + type: string + type: object + required: + - provider + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/external-secrets/crds/clustersecretstore.yaml b/charts/external-secrets/crds/clustersecretstore.yaml index b9966a954f..f9e0ff9058 100644 --- a/charts/external-secrets/crds/clustersecretstore.yaml +++ b/charts/external-secrets/crds/clustersecretstore.yaml @@ -693,6 +693,7 @@ spec: Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) + - "WorkloadIdentity": Using a Kubernetes ServiceAccount federated with Entra ID enum: - ServicePrincipal - ManagedIdentity @@ -1081,6 +1082,136 @@ spec: - auth - server type: object + beyondtrustworkloadcredentials: + description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider. + properties: + auth: + description: |- + Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API. + Currently supports API key authentication via Kubernetes secret reference. + For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + apikey: + description: |- + APIKey configures API token authentication for BeyondTrust Workload Credentials. + The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests. + properties: + token: + description: |- + Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token. + The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials. + Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret. + For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + required: + - token + type: object + required: + - apikey + type: object + caBundle: + description: |- + CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this when your BeyondTrust instance uses a self-signed certificate or internal CA. + If not set, the system's trusted root certificates are used. + format: byte + type: string + caProvider: + description: |- + CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate. + This is used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the object located at the provider type. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + folderPath: + description: |- + FolderPath specifies the default folder path for secret retrieval. + Secrets will be fetched from this folder unless overridden in the ExternalSecret spec. + Example: "production/database" or "dev/api-keys" + Leave empty to retrieve secrets from the root folder. + For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders + type: string + server: + description: |- + Server configures the BeyondTrust Workload Credentials server connection details. + Includes the API URL and Site ID for your BeyondTrust instance. + For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + apiUrl: + description: |- + APIURL is the base URL of your BeyondTrust Workload Credentials API server. + This should be the full URL to your BeyondTrust instance. + Example: https://api.beyondtrust.io/siie + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url + type: string + siteId: + description: |- + SiteID is your BeyondTrust Workload Credentials site identifier (UUID format). + This identifier is unique to your BeyondTrust Workload Credentials instance. + You can find your Site ID in the BeyondTrust Workload Credentials admin console. + Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890 + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + type: string + required: + - apiUrl + - siteId + type: object + required: + - auth + - server + type: object bitwardensecretsmanager: description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider properties: @@ -3096,6 +3227,11 @@ spec: default: true description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided. type: boolean + organizationSlug: + description: |- + OrganizationSlug is the optional slug that identifies the organization that will be used + during authentication. Useful for sub-organization setups + type: string projectSlug: description: ProjectSlug is the required slug identifier for the project. type: string @@ -3746,6 +3882,265 @@ spec: - auth - vault type: object + openBao: + description: OpenBao configures this store to sync secrets using the OpenBao provider. + properties: + auth: + description: Auth configures how secret-manager authenticates with the OpenBao server. + properties: + appRole: + description: |- + AppRole authenticates with OpenBao using the [App Role auth mechanism], + with the role and secret stored in a Kubernetes Secret resource. + + [App Role auth mechanism]: https://openbao.org/docs/auth/approle/ + properties: + path: + default: approle + description: |- + Path where the App Role authentication backend is mounted + in OpenBao, e.g: "approle" + type: string + roleId: + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in OpenBao. + minLength: 1 + type: string + roleRef: + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with OpenBao. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + secretRef: + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with OpenBao. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + required: + - path + - secretRef + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [roleId roleRef] must be set + rule: '[has(self.roleId),has(self.roleRef)].filter(x,x==true).size() == 1' + namespace: + description: |- + Name of the [OpenBao Namespace] to authenticate to. This can be different + than the namespace your secret is in. Namespaces is a set of features + within OpenBao that allows OpenBao environments to support secure + multi-tenancy. e.g: "ns1". This will default to OpenBao.Namespace field + if set, or empty otherwise + + [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/ + type: string + tokenSecretRef: + description: TokenSecretRef authenticates with OpenBao by presenting a token. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + userPass: + description: UserPass authenticates with OpenBao by passing a username/password pair + properties: + path: + default: userpass + description: |- + Path where the UserPassword authentication backend is mounted + in OpenBao, e.g: "userpass" + type: string + secretRef: + description: |- + SecretRef to a key in a Secret resource containing password for the user + used to authenticate with OpenBao using the [UserPass authentication + method] + + [UserPass authentication method]: https://openbao.org/docs/auth/userpass/ + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + username: + description: |- + Username is a username used to authenticate using the [UserPass + authentication method] + + [UserPass authentication method]: https://openbao.org/docs/auth/userpass/ + type: string + required: + - path + - username + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [appRole tokenSecretRef userPass] must be set + rule: '[has(self.appRole),has(self.tokenSecretRef),has(self.userPass)].filter(x,x==true).size() == 1' + caBundle: + description: |- + PEM encoded CA bundle used to validate the OpenBao server certificate. If + this and `caProvider` are not set the system root certificates are used + to validate the TLS connection. + format: byte + type: string + caProvider: + description: |- + The provider for the CA bundle to use to validate OpenBao server + certificate. If this and `caBundle` are not set the system root + certificates are used to validate the TLS connection. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the object located at the provider type. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + namespace: + description: |- + Name of the [OpenBao Namespace]. Namespaces is a set of features within + OpenBao that allows OpenBao environments to support secure multi-tenancy. + e.g: "ns1". + + [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/ + type: string + path: + description: |- + Path is the mount path of the OpenBao KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from OpenBao is optional and will be appended + if not present in specified path. + type: string + server: + description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.' + type: string + version: + default: v2 + description: |- + Version is the OpenBao KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". + enum: + - v1 + - v2 + type: string + required: + - server + type: object + x-kubernetes-validations: + - message: at most one of the fields in [caBundle caProvider] may be set + rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1' oracle: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: diff --git a/charts/external-secrets/crds/externalsecret.yaml b/charts/external-secrets/crds/externalsecret.yaml index 95e49dd929..07b2ea3aa9 100644 --- a/charts/external-secrets/crds/externalsecret.yaml +++ b/charts/external-secrets/crds/externalsecret.yaml @@ -104,7 +104,6 @@ spec: - Fetch type: string nullBytePolicy: - default: Ignore description: Controls how ESO handles fetched secret data containing NUL bytes for this source. enum: - Ignore @@ -147,6 +146,7 @@ spec: description: Specify the Kind of the generator resource enum: - ACRAccessToken + - BeyondtrustWorkloadCredentialsDynamicSecret - ClusterGenerator - CloudsmithAccessToken - ECRAuthorizationToken @@ -238,7 +238,6 @@ spec: - Fetch type: string nullBytePolicy: - default: Ignore description: Controls how ESO handles fetched secret data containing NUL bytes for this source. enum: - Ignore @@ -282,7 +281,6 @@ spec: type: string type: object nullBytePolicy: - default: Ignore description: Controls how ESO handles fetched secret data containing NUL bytes for this find source. enum: - Ignore @@ -396,6 +394,7 @@ spec: description: Specify the Kind of the generator resource enum: - ACRAccessToken + - BeyondtrustWorkloadCredentialsDynamicSecret - ClusterGenerator - CloudsmithAccessToken - ECRAuthorizationToken @@ -482,6 +481,53 @@ spec: pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: object + syncWindows: + description: |- + SyncWindows optionally restricts when periodic refreshes may occur. + Evaluated in UTC, only for Periodic refresh policy (or when refreshPolicy is unset). + properties: + kind: + description: |- + Kind applies to every window in the list. + "allow" -- syncs are permitted only while at least one window is active; + all other times are blocked. + "deny" -- syncs are blocked while any window is active; + all other times are permitted. + enum: + - allow + - deny + type: string + windows: + description: Windows is the list of schedule+duration pairs. + items: + description: |- + ExternalSecretSyncWindowEntry defines a single cron-schedule + duration pair + within a SyncWindows block. + properties: + duration: + description: |- + Duration specifies how long the window stays open after each Schedule + firing. Example: "8h". + type: string + schedule: + description: |- + Schedule is a standard 5-field cron expression evaluated in UTC, or a + named shorthand such as @daily or @every 1h. It marks the start time of + each window occurrence. + Example: "0 22 * * 1-5" opens a window every weekday at 22:00 UTC. + minLength: 1 + pattern: ^(@(annually|yearly|monthly|weekly|daily|midnight|hourly)|@every [^\s]+.*|[^\s]+( [^\s]+){4})$ + type: string + required: + - duration + - schedule + type: object + minItems: 1 + type: array + required: + - kind + - windows + type: object target: default: creationPolicy: Owner @@ -666,6 +712,15 @@ spec: For custom resources (when spec.target.manifest is set), this supports nested paths like "spec.database.config" or "data". type: string + valuesDecodingStrategy: + default: None + description: Used to define a decoding Strategy for the rendered template values. + enum: + - Auto + - Base64 + - Base64URL + - None + type: string type: object type: array type: diff --git a/charts/external-secrets/crds/pushsecret.yaml b/charts/external-secrets/crds/pushsecret.yaml deleted file mode 100644 index 1a0edfb786..0000000000 --- a/charts/external-secrets/crds/pushsecret.yaml +++ /dev/null @@ -1,638 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - labels: - external-secrets.io/component: controller - name: pushsecrets.external-secrets.io -spec: - group: external-secrets.io - names: - categories: - - external-secrets - kind: PushSecret - listKind: PushSecretList - plural: pushsecrets - shortNames: - - ps - singular: pushsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].reason - name: Status - type: string - - jsonPath: .status.refreshTime - name: Last Sync - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PushSecretSpec configures the behavior of the PushSecret. - properties: - data: - description: Secret Data that should be pushed to providers - items: - description: PushSecretData defines data to be pushed to the provider and associated metadata. - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: array - dataTo: - description: DataTo defines bulk push rules that expand source Secret keys into provider entries. - items: - description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings. - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: |- - Match pattern for selecting keys from the source Secret. - If not specified, all keys are selected. - properties: - regexp: - description: |- - Regexp matches keys by regular expression. - If not specified, all keys are matched. - type: string - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - remoteKey: - description: |- - RemoteKey is the name of the single provider secret that will receive ALL - matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}). - When set, per-key expansion is skipped and a single push is performed. - The provider's store prefix (if any) is still prepended to this value. - When not set, each matched key is pushed as its own individual provider secret. - type: string - rewrite: - description: |- - Rewrite operations to transform keys before pushing to the provider. - Operations are applied sequentially. - items: - description: PushSecretRewrite defines how to transform secret keys before pushing. - properties: - regexp: - description: Used to rewrite with regular expressions. - properties: - source: - description: Used to define the regular expression of a re.Compiler. - type: string - target: - description: Used to define the target pattern of a ReplaceAll operation. - type: string - required: - - source - - target - type: object - transform: - description: Used to apply string transformation on the secrets. - properties: - template: - description: |- - Used to define the template to apply on the secret name. - `.value ` will specify the secret name in the template. - type: string - required: - - template - type: object - type: object - x-kubernetes-validations: - - message: exactly one of regexp or transform must be set - rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform)) - type: array - storeRef: - description: StoreRef specifies which SecretStore to push to. Required. - properties: - kind: - default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - enum: - - SecretStore - - ClusterSecretStore - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: object - x-kubernetes-validations: - - message: storeRef must specify either name or labelSelector - rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector)) - - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)' - rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0' - type: array - deletionPolicy: - default: None - description: Deletion Policy to handle Secrets in the provider. - enum: - - Delete - - None - type: string - refreshInterval: - default: 1h0m0s - description: The Interval to which External Secrets will try to push a secret definition - type: string - secretStoreRefs: - items: - description: PushSecretStoreRef contains a reference on how to sync to a SecretStore. - properties: - kind: - default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) - enum: - - SecretStore - - ClusterSecretStore - type: string - labelSelector: - description: Optionally, sync to secret stores with label selector - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: Optionally, sync to the SecretStore of the given name - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - type: object - type: array - selector: - description: The Secret Selector (k8s source) for the Push Secret - maxProperties: 1 - minProperties: 1 - properties: - generatorRef: - description: Point to a generator to create a Secret. - properties: - apiVersion: - default: generators.external-secrets.io/v1alpha1 - description: Specify the apiVersion of the generator resource - type: string - kind: - description: Specify the Kind of the generator resource - enum: - - ACRAccessToken - - ClusterGenerator - - CloudsmithAccessToken - - ECRAuthorizationToken - - Fake - - GCRAccessToken - - GithubAccessToken - - QuayAccessToken - - Password - - SSHKey - - STSSessionToken - - UUID - - VaultDynamicSecret - - Webhook - - Grafana - - MFA - type: string - name: - description: Specify the name of the generator resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - kind - - name - type: object - secret: - description: Select a Secret to Push. - properties: - name: - description: |- - Name of the Secret. - The Secret must exist in the same namespace as the PushSecret manifest. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - selector: - description: Selector chooses secrets using a labelSelector. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: object - template: - description: Template defines a blueprint for the created Secret resource. - properties: - data: - additionalProperties: - type: string - type: object - engineVersion: - default: v2 - description: |- - EngineVersion specifies the template engine version - that should be used to compile/execute the - template specified in .data and .templateFrom[]. - enum: - - v2 - type: string - mergePolicy: - default: Replace - description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data. - enum: - - Replace - - Merge - type: string - metadata: - description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - type: object - templateFrom: - items: - description: |- - TemplateFrom specifies a source for templates. - Each item in the list can either reference a ConfigMap or a Secret resource. - properties: - configMap: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - literal: - type: string - secret: - description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource. - properties: - items: - description: A list of keys in the ConfigMap/Secret to use as templates for Secret data - items: - description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data. - properties: - key: - description: A key in the ConfigMap/Secret - maxLength: 253 - minLength: 1 - pattern: ^[-._a-zA-Z0-9]+$ - type: string - templateAs: - default: Values - description: TemplateScope specifies how the template keys should be interpreted. - enum: - - Values - - KeysAndValues - type: string - required: - - key - type: object - type: array - name: - description: The name of the ConfigMap/Secret resource - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - items - - name - type: object - target: - default: Data - description: |- - Target specifies where to place the template result. - For Secret resources, common values are: "Data", "Annotations", "Labels". - For custom resources (when spec.target.manifest is set), this supports - nested paths like "spec.database.config" or "data". - type: string - type: object - type: array - type: - type: string - type: object - updatePolicy: - default: Replace - description: UpdatePolicy to handle Secrets in the provider. - enum: - - Replace - - IfNotExists - type: string - required: - - secretStoreRefs - - selector - type: object - status: - description: PushSecretStatus indicates the history of the status of PushSecret. - properties: - conditions: - items: - description: PushSecretStatusCondition indicates the status of the PushSecret. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - description: PushSecretConditionType indicates the condition of the PushSecret. - type: string - required: - - status - - type - type: object - type: array - refreshTime: - description: |- - refreshTime is the time and date the external secret was fetched and - the target secret updated - format: date-time - nullable: true - type: string - syncedPushSecrets: - additionalProperties: - additionalProperties: - description: PushSecretData defines data to be pushed to the provider and associated metadata. - properties: - conversionStrategy: - default: None - description: Used to define a conversion Strategy for the secret keys - enum: - - None - - ReverseUnicode - type: string - match: - description: Match a given Secret Key to be pushed to the provider. - properties: - remoteRef: - description: Remote Refs to push to providers. - properties: - property: - description: Name of the property in the resulting secret - type: string - remoteKey: - description: Name of the resulting provider secret. - type: string - required: - - remoteKey - type: object - secretKey: - description: Secret Key to be pushed - type: string - required: - - remoteRef - type: object - metadata: - description: |- - Metadata is metadata attached to the secret. - The structure of metadata is provider specific, please look it up in the provider documentation. - x-kubernetes-preserve-unknown-fields: true - required: - - match - type: object - type: object - description: |- - Synced PushSecrets, including secrets that already exist in provider. - Matches secret stores to PushSecretData that was stored to that secret store. - type: object - syncedResourceVersion: - description: SyncedResourceVersion keeps track of the last synced version. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/external-secrets/crds/secretstore.yaml b/charts/external-secrets/crds/secretstore.yaml index fb749674d2..4f121f3bbc 100644 --- a/charts/external-secrets/crds/secretstore.yaml +++ b/charts/external-secrets/crds/secretstore.yaml @@ -693,6 +693,7 @@ spec: Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) + - "WorkloadIdentity": Using a Kubernetes ServiceAccount federated with Entra ID enum: - ServicePrincipal - ManagedIdentity @@ -1081,6 +1082,136 @@ spec: - auth - server type: object + beyondtrustworkloadcredentials: + description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider. + properties: + auth: + description: |- + Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API. + Currently supports API key authentication via Kubernetes secret reference. + For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + apikey: + description: |- + APIKey configures API token authentication for BeyondTrust Workload Credentials. + The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests. + properties: + token: + description: |- + Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token. + The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials. + Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret. + For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + required: + - token + type: object + required: + - apikey + type: object + caBundle: + description: |- + CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this when your BeyondTrust instance uses a self-signed certificate or internal CA. + If not set, the system's trusted root certificates are used. + format: byte + type: string + caProvider: + description: |- + CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate. + This is used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the object located at the provider type. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + folderPath: + description: |- + FolderPath specifies the default folder path for secret retrieval. + Secrets will be fetched from this folder unless overridden in the ExternalSecret spec. + Example: "production/database" or "dev/api-keys" + Leave empty to retrieve secrets from the root folder. + For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders + type: string + server: + description: |- + Server configures the BeyondTrust Workload Credentials server connection details. + Includes the API URL and Site ID for your BeyondTrust instance. + For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + apiUrl: + description: |- + APIURL is the base URL of your BeyondTrust Workload Credentials API server. + This should be the full URL to your BeyondTrust instance. + Example: https://api.beyondtrust.io/siie + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url + type: string + siteId: + description: |- + SiteID is your BeyondTrust Workload Credentials site identifier (UUID format). + This identifier is unique to your BeyondTrust Workload Credentials instance. + You can find your Site ID in the BeyondTrust Workload Credentials admin console. + Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890 + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + type: string + required: + - apiUrl + - siteId + type: object + required: + - auth + - server + type: object bitwardensecretsmanager: description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider properties: @@ -3096,6 +3227,11 @@ spec: default: true description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided. type: boolean + organizationSlug: + description: |- + OrganizationSlug is the optional slug that identifies the organization that will be used + during authentication. Useful for sub-organization setups + type: string projectSlug: description: ProjectSlug is the required slug identifier for the project. type: string @@ -3746,6 +3882,265 @@ spec: - auth - vault type: object + openBao: + description: OpenBao configures this store to sync secrets using the OpenBao provider. + properties: + auth: + description: Auth configures how secret-manager authenticates with the OpenBao server. + properties: + appRole: + description: |- + AppRole authenticates with OpenBao using the [App Role auth mechanism], + with the role and secret stored in a Kubernetes Secret resource. + + [App Role auth mechanism]: https://openbao.org/docs/auth/approle/ + properties: + path: + default: approle + description: |- + Path where the App Role authentication backend is mounted + in OpenBao, e.g: "approle" + type: string + roleId: + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in OpenBao. + minLength: 1 + type: string + roleRef: + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with OpenBao. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + secretRef: + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with OpenBao. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + required: + - path + - secretRef + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [roleId roleRef] must be set + rule: '[has(self.roleId),has(self.roleRef)].filter(x,x==true).size() == 1' + namespace: + description: |- + Name of the [OpenBao Namespace] to authenticate to. This can be different + than the namespace your secret is in. Namespaces is a set of features + within OpenBao that allows OpenBao environments to support secure + multi-tenancy. e.g: "ns1". This will default to OpenBao.Namespace field + if set, or empty otherwise + + [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/ + type: string + tokenSecretRef: + description: TokenSecretRef authenticates with OpenBao by presenting a token. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + userPass: + description: UserPass authenticates with OpenBao by passing a username/password pair + properties: + path: + default: userpass + description: |- + Path where the UserPassword authentication backend is mounted + in OpenBao, e.g: "userpass" + type: string + secretRef: + description: |- + SecretRef to a key in a Secret resource containing password for the user + used to authenticate with OpenBao using the [UserPass authentication + method] + + [UserPass authentication method]: https://openbao.org/docs/auth/userpass/ + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + username: + description: |- + Username is a username used to authenticate using the [UserPass + authentication method] + + [UserPass authentication method]: https://openbao.org/docs/auth/userpass/ + type: string + required: + - path + - username + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [appRole tokenSecretRef userPass] must be set + rule: '[has(self.appRole),has(self.tokenSecretRef),has(self.userPass)].filter(x,x==true).size() == 1' + caBundle: + description: |- + PEM encoded CA bundle used to validate the OpenBao server certificate. If + this and `caProvider` are not set the system root certificates are used + to validate the TLS connection. + format: byte + type: string + caProvider: + description: |- + The provider for the CA bundle to use to validate OpenBao server + certificate. If this and `caBundle` are not set the system root + certificates are used to validate the TLS connection. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the object located at the provider type. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + namespace: + description: |- + Name of the [OpenBao Namespace]. Namespaces is a set of features within + OpenBao that allows OpenBao environments to support secure multi-tenancy. + e.g: "ns1". + + [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/ + type: string + path: + description: |- + Path is the mount path of the OpenBao KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from OpenBao is optional and will be appended + if not present in specified path. + type: string + server: + description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.' + type: string + version: + default: v2 + description: |- + Version is the OpenBao KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". + enum: + - v1 + - v2 + type: string + required: + - server + type: object + x-kubernetes-validations: + - message: at most one of the fields in [caBundle caProvider] may be set + rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1' oracle: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: diff --git a/charts/external-secrets/templates/_helpers.tpl b/charts/external-secrets/templates/_helpers.tpl index f30be7d506..e71b63378a 100644 --- a/charts/external-secrets/templates/_helpers.tpl +++ b/charts/external-secrets/templates/_helpers.tpl @@ -23,6 +23,20 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- end }} +{{/* +Build a resource name with a suffix, ensuring the total length stays within the +63-character DNS label limit. The fullname is truncated to (63 - len(suffix)) +chars so that appending the suffix never exceeds the limit. +Usage: {{ include "external-secrets.componentName" (list . "-webhook") }} +*/}} +{{- define "external-secrets.componentName" -}} +{{- $ctx := index . 0 -}} +{{- $suffix := index . 1 -}} +{{- $maxLen := int (sub 63 (len $suffix)) -}} +{{- if le $maxLen 0 }}{{- fail (printf "suffix '%s' is too long to fit in a 63-char DNS label" $suffix) }}{{- end -}} +{{- printf "%s%s" (include "external-secrets.fullname" $ctx | trunc $maxLen | trimSuffix "-") $suffix -}} +{{- end -}} + {{/* Define namespace of chart, useful for multi-namespace deployments */}} diff --git a/charts/external-secrets/templates/cert-controller-deployment.yaml b/charts/external-secrets/templates/cert-controller-deployment.yaml index 60851fed87..61f1023ae0 100644 --- a/charts/external-secrets/templates/cert-controller-deployment.yaml +++ b/charts/external-secrets/templates/cert-controller-deployment.yaml @@ -71,7 +71,7 @@ spec: args: - certcontroller - --crd-requeue-interval={{ .Values.certController.requeueInterval }} - - --service-name={{ include "external-secrets.fullname" . }}-webhook + - --service-name={{ include "external-secrets.componentName" (list . "-webhook") }} - --service-namespace={{ template "external-secrets.namespace" . }} - --secret-name={{ include "external-secrets.fullname" . }}-webhook - --secret-namespace={{ template "external-secrets.namespace" . }} diff --git a/charts/external-secrets/templates/cert-controller-poddisruptionbudget.yaml b/charts/external-secrets/templates/cert-controller-poddisruptionbudget.yaml index 8149898e45..ded0755340 100644 --- a/charts/external-secrets/templates/cert-controller-poddisruptionbudget.yaml +++ b/charts/external-secrets/templates/cert-controller-poddisruptionbudget.yaml @@ -7,9 +7,9 @@ metadata: labels: {{- include "external-secrets-cert-controller.labels" . | nindent 4 }} spec: - {{- if .Values.certController.podDisruptionBudget.maxUnavailable }} + {{- if hasKey .Values.certController.podDisruptionBudget "maxUnavailable" }} maxUnavailable: {{ .Values.certController.podDisruptionBudget.maxUnavailable }} - {{- else if .Values.certController.podDisruptionBudget.minAvailable }} + {{- else if hasKey .Values.certController.podDisruptionBudget "minAvailable" }} minAvailable: {{ .Values.certController.podDisruptionBudget.minAvailable }} {{- end }} selector: diff --git a/charts/external-secrets/templates/cert-controller-rbac.yaml b/charts/external-secrets/templates/cert-controller-rbac.yaml index 6646ddab4a..c170364ee1 100644 --- a/charts/external-secrets/templates/cert-controller-rbac.yaml +++ b/charts/external-secrets/templates/cert-controller-rbac.yaml @@ -14,6 +14,17 @@ rules: - "get" - "list" - "watch" + - apiGroups: + - "apiextensions.k8s.io" + resources: + - "customresourcedefinitions" + resourceNames: + - "externalsecrets.external-secrets.io" + - "secretstores.external-secrets.io" + {{- if .Values.crds.createClusterSecretStore }} + - "clustersecretstores.external-secrets.io" + {{- end }} + verbs: - "update" - "patch" - apiGroups: @@ -65,6 +76,13 @@ rules: - "get" - "list" - "watch" + - apiGroups: + - "" + resources: + - "secrets" + resourceNames: + - {{ printf "%s-webhook" (include "external-secrets.fullname" .) | quote }} + verbs: - "update" - "patch" - apiGroups: diff --git a/charts/external-secrets/templates/cert-controller-service.yaml b/charts/external-secrets/templates/cert-controller-service.yaml index 32a6ad1f40..96b3e9ae3b 100644 --- a/charts/external-secrets/templates/cert-controller-service.yaml +++ b/charts/external-secrets/templates/cert-controller-service.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics + name: {{ include "external-secrets.componentName" (list . "-cert-controller-metrics") }} namespace: {{ template "external-secrets.namespace" . }} labels: {{- include "external-secrets-cert-controller.labels" . | nindent 4 }} diff --git a/charts/external-secrets/templates/crds/beyondtrustworkloadcredentialsdynamicsecret.yaml b/charts/external-secrets/templates/crds/beyondtrustworkloadcredentialsdynamicsecret.yaml new file mode 100644 index 0000000000..62c04783a8 --- /dev/null +++ b/charts/external-secrets/templates/crds/beyondtrustworkloadcredentialsdynamicsecret.yaml @@ -0,0 +1,220 @@ +{{- if .Values.installCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4}} + {{- end }} + {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook + {{- end }} + controller-gen.kubebuilder.io/version: v0.19.0 + labels: + external-secrets.io/component: controller + name: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - external-secrets + - external-secrets-generators + kind: BeyondtrustWorkloadCredentialsDynamicSecret + listKind: BeyondtrustWorkloadCredentialsDynamicSecretList + plural: beyondtrustworkloadcredentialsdynamicsecrets + singular: beyondtrustworkloadcredentialsdynamicsecret + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials. + This generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials + (such as AWS STS credentials) each time an ExternalSecret is refreshed. + Dynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced. + For complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator. + This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials. + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + controller: + description: |- + Controller selects the controller that should handle this generator. + Leave empty to use the default controller. + type: string + provider: + description: |- + Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication, + server connection details, and the folder path to the dynamic secret definition. + The folderPath should point to a dynamic secret definition that has been created in + BeyondTrust Workload Credentials (e.g., "production/aws-temp"). + For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + auth: + description: |- + Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API. + Currently supports API key authentication via Kubernetes secret reference. + For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + apikey: + description: |- + APIKey configures API token authentication for BeyondTrust Workload Credentials. + The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests. + properties: + token: + description: |- + Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token. + The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials. + Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret. + For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + required: + - token + type: object + required: + - apikey + type: object + caBundle: + description: |- + CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this when your BeyondTrust instance uses a self-signed certificate or internal CA. + If not set, the system's trusted root certificates are used. + format: byte + type: string + caProvider: + description: |- + CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate. + This is used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the object located at the provider type. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + folderPath: + description: |- + FolderPath specifies the default folder path for secret retrieval. + Secrets will be fetched from this folder unless overridden in the ExternalSecret spec. + Example: "production/database" or "dev/api-keys" + Leave empty to retrieve secrets from the root folder. + For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders + type: string + server: + description: |- + Server configures the BeyondTrust Workload Credentials server connection details. + Includes the API URL and Site ID for your BeyondTrust instance. + For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + apiUrl: + description: |- + APIURL is the base URL of your BeyondTrust Workload Credentials API server. + This should be the full URL to your BeyondTrust instance. + Example: https://api.beyondtrust.io/siie + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url + type: string + siteId: + description: |- + SiteID is your BeyondTrust Workload Credentials site identifier (UUID format). + This identifier is unique to your BeyondTrust Workload Credentials instance. + You can find your Site ID in the BeyondTrust Workload Credentials admin console. + Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890 + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + type: string + required: + - apiUrl + - siteId + type: object + required: + - auth + - server + type: object + retrySettings: + description: |- + RetrySettings configures exponential backoff for failed API requests. + If not specified, uses the default retry settings. + properties: + maxRetries: + format: int32 + type: integer + retryInterval: + type: string + type: object + required: + - provider + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/external-secrets/templates/crds/clusterexternalsecret.yaml b/charts/external-secrets/templates/crds/clusterexternalsecret.yaml index 01eb9f85e4..12fe2df303 100644 --- a/charts/external-secrets/templates/crds/clusterexternalsecret.yaml +++ b/charts/external-secrets/templates/crds/clusterexternalsecret.yaml @@ -121,7 +121,6 @@ spec: - Fetch type: string nullBytePolicy: - default: Ignore description: Controls how ESO handles fetched secret data containing NUL bytes for this source. enum: - Ignore @@ -164,6 +163,7 @@ spec: description: Specify the Kind of the generator resource enum: - ACRAccessToken + - BeyondtrustWorkloadCredentialsDynamicSecret - ClusterGenerator - CloudsmithAccessToken - ECRAuthorizationToken @@ -255,7 +255,6 @@ spec: - Fetch type: string nullBytePolicy: - default: Ignore description: Controls how ESO handles fetched secret data containing NUL bytes for this source. enum: - Ignore @@ -299,7 +298,6 @@ spec: type: string type: object nullBytePolicy: - default: Ignore description: Controls how ESO handles fetched secret data containing NUL bytes for this find source. enum: - Ignore @@ -413,6 +411,7 @@ spec: description: Specify the Kind of the generator resource enum: - ACRAccessToken + - BeyondtrustWorkloadCredentialsDynamicSecret - ClusterGenerator - CloudsmithAccessToken - ECRAuthorizationToken @@ -499,6 +498,53 @@ spec: pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: object + syncWindows: + description: |- + SyncWindows optionally restricts when periodic refreshes may occur. + Evaluated in UTC, only for Periodic refresh policy (or when refreshPolicy is unset). + properties: + kind: + description: |- + Kind applies to every window in the list. + "allow" -- syncs are permitted only while at least one window is active; + all other times are blocked. + "deny" -- syncs are blocked while any window is active; + all other times are permitted. + enum: + - allow + - deny + type: string + windows: + description: Windows is the list of schedule+duration pairs. + items: + description: |- + ExternalSecretSyncWindowEntry defines a single cron-schedule + duration pair + within a SyncWindows block. + properties: + duration: + description: |- + Duration specifies how long the window stays open after each Schedule + firing. Example: "8h". + type: string + schedule: + description: |- + Schedule is a standard 5-field cron expression evaluated in UTC, or a + named shorthand such as @daily or @every 1h. It marks the start time of + each window occurrence. + Example: "0 22 * * 1-5" opens a window every weekday at 22:00 UTC. + minLength: 1 + pattern: ^(@(annually|yearly|monthly|weekly|daily|midnight|hourly)|@every [^\s]+.*|[^\s]+( [^\s]+){4})$ + type: string + required: + - duration + - schedule + type: object + minItems: 1 + type: array + required: + - kind + - windows + type: object target: default: creationPolicy: Owner @@ -683,6 +729,15 @@ spec: For custom resources (when spec.target.manifest is set), this supports nested paths like "spec.database.config" or "data". type: string + valuesDecodingStrategy: + default: None + description: Used to define a decoding Strategy for the rendered template values. + enum: + - Auto + - Base64 + - Base64URL + - None + type: string type: object type: array type: diff --git a/charts/external-secrets/templates/crds/clustergenerator.yaml b/charts/external-secrets/templates/crds/clustergenerator.yaml index 2a89ea70a2..20ee1e6dbb 100644 --- a/charts/external-secrets/templates/crds/clustergenerator.yaml +++ b/charts/external-secrets/templates/crds/clustergenerator.yaml @@ -208,6 +208,166 @@ spec: - auth - registry type: object + beyondtrustWorkloadCredentialsDynamicSecretSpec: + description: |- + BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator. + This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials. + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + controller: + description: |- + Controller selects the controller that should handle this generator. + Leave empty to use the default controller. + type: string + provider: + description: |- + Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication, + server connection details, and the folder path to the dynamic secret definition. + The folderPath should point to a dynamic secret definition that has been created in + BeyondTrust Workload Credentials (e.g., "production/aws-temp"). + For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + auth: + description: |- + Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API. + Currently supports API key authentication via Kubernetes secret reference. + For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + apikey: + description: |- + APIKey configures API token authentication for BeyondTrust Workload Credentials. + The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests. + properties: + token: + description: |- + Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token. + The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials. + Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret. + For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + required: + - token + type: object + required: + - apikey + type: object + caBundle: + description: |- + CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this when your BeyondTrust instance uses a self-signed certificate or internal CA. + If not set, the system's trusted root certificates are used. + format: byte + type: string + caProvider: + description: |- + CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate. + This is used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the object located at the provider type. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + folderPath: + description: |- + FolderPath specifies the default folder path for secret retrieval. + Secrets will be fetched from this folder unless overridden in the ExternalSecret spec. + Example: "production/database" or "dev/api-keys" + Leave empty to retrieve secrets from the root folder. + For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders + type: string + server: + description: |- + Server configures the BeyondTrust Workload Credentials server connection details. + Includes the API URL and Site ID for your BeyondTrust instance. + For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + apiUrl: + description: |- + APIURL is the base URL of your BeyondTrust Workload Credentials API server. + This should be the full URL to your BeyondTrust instance. + Example: https://api.beyondtrust.io/siie + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url + type: string + siteId: + description: |- + SiteID is your BeyondTrust Workload Credentials site identifier (UUID format). + This identifier is unique to your BeyondTrust Workload Credentials instance. + You can find your Site ID in the BeyondTrust Workload Credentials admin console. + Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890 + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + type: string + required: + - apiUrl + - siteId + type: object + required: + - auth + - server + type: object + retrySettings: + description: |- + RetrySettings configures exponential backoff for failed API requests. + If not specified, uses the default retry settings. + properties: + maxRetries: + format: int32 + type: integer + retryInterval: + type: string + type: object + required: + - provider + type: object cloudsmithAccessTokenSpec: description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication. properties: @@ -2247,6 +2407,7 @@ spec: description: Kind the kind of this generator. enum: - ACRAccessToken + - BeyondtrustWorkloadCredentialsDynamicSecret - CloudsmithAccessToken - ECRAuthorizationToken - Fake @@ -2260,6 +2421,7 @@ spec: - VaultDynamicSecret - Webhook - Grafana + - MFA type: string required: - generator diff --git a/charts/external-secrets/templates/crds/clusterpushsecret.yaml b/charts/external-secrets/templates/crds/clusterpushsecret.yaml index 692b14cc61..749278a483 100644 --- a/charts/external-secrets/templates/crds/clusterpushsecret.yaml +++ b/charts/external-secrets/templates/crds/clusterpushsecret.yaml @@ -401,6 +401,7 @@ spec: description: Specify the Kind of the generator resource enum: - ACRAccessToken + - BeyondtrustWorkloadCredentialsDynamicSecret - ClusterGenerator - CloudsmithAccessToken - ECRAuthorizationToken @@ -609,6 +610,15 @@ spec: For custom resources (when spec.target.manifest is set), this supports nested paths like "spec.database.config" or "data". type: string + valuesDecodingStrategy: + default: None + description: Used to define a decoding Strategy for the rendered template values. + enum: + - Auto + - Base64 + - Base64URL + - None + type: string type: object type: array type: diff --git a/charts/external-secrets/templates/crds/clustersecretstore.yaml b/charts/external-secrets/templates/crds/clustersecretstore.yaml index b10d1dfd44..fb9e9521bf 100644 --- a/charts/external-secrets/templates/crds/clustersecretstore.yaml +++ b/charts/external-secrets/templates/crds/clustersecretstore.yaml @@ -698,6 +698,7 @@ spec: Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) + - "WorkloadIdentity": Using a Kubernetes ServiceAccount federated with Entra ID enum: - ServicePrincipal - ManagedIdentity @@ -1086,6 +1087,136 @@ spec: - auth - server type: object + beyondtrustworkloadcredentials: + description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider. + properties: + auth: + description: |- + Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API. + Currently supports API key authentication via Kubernetes secret reference. + For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + apikey: + description: |- + APIKey configures API token authentication for BeyondTrust Workload Credentials. + The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests. + properties: + token: + description: |- + Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token. + The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials. + Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret. + For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + required: + - token + type: object + required: + - apikey + type: object + caBundle: + description: |- + CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this when your BeyondTrust instance uses a self-signed certificate or internal CA. + If not set, the system's trusted root certificates are used. + format: byte + type: string + caProvider: + description: |- + CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate. + This is used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the object located at the provider type. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + folderPath: + description: |- + FolderPath specifies the default folder path for secret retrieval. + Secrets will be fetched from this folder unless overridden in the ExternalSecret spec. + Example: "production/database" or "dev/api-keys" + Leave empty to retrieve secrets from the root folder. + For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders + type: string + server: + description: |- + Server configures the BeyondTrust Workload Credentials server connection details. + Includes the API URL and Site ID for your BeyondTrust instance. + For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + apiUrl: + description: |- + APIURL is the base URL of your BeyondTrust Workload Credentials API server. + This should be the full URL to your BeyondTrust instance. + Example: https://api.beyondtrust.io/siie + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url + type: string + siteId: + description: |- + SiteID is your BeyondTrust Workload Credentials site identifier (UUID format). + This identifier is unique to your BeyondTrust Workload Credentials instance. + You can find your Site ID in the BeyondTrust Workload Credentials admin console. + Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890 + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + type: string + required: + - apiUrl + - siteId + type: object + required: + - auth + - server + type: object bitwardensecretsmanager: description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider properties: @@ -3101,6 +3232,11 @@ spec: default: true description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided. type: boolean + organizationSlug: + description: |- + OrganizationSlug is the optional slug that identifies the organization that will be used + during authentication. Useful for sub-organization setups + type: string projectSlug: description: ProjectSlug is the required slug identifier for the project. type: string @@ -3751,6 +3887,265 @@ spec: - auth - vault type: object + openBao: + description: OpenBao configures this store to sync secrets using the OpenBao provider. + properties: + auth: + description: Auth configures how secret-manager authenticates with the OpenBao server. + properties: + appRole: + description: |- + AppRole authenticates with OpenBao using the [App Role auth mechanism], + with the role and secret stored in a Kubernetes Secret resource. + + [App Role auth mechanism]: https://openbao.org/docs/auth/approle/ + properties: + path: + default: approle + description: |- + Path where the App Role authentication backend is mounted + in OpenBao, e.g: "approle" + type: string + roleId: + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in OpenBao. + minLength: 1 + type: string + roleRef: + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with OpenBao. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + secretRef: + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with OpenBao. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + required: + - path + - secretRef + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [roleId roleRef] must be set + rule: '[has(self.roleId),has(self.roleRef)].filter(x,x==true).size() == 1' + namespace: + description: |- + Name of the [OpenBao Namespace] to authenticate to. This can be different + than the namespace your secret is in. Namespaces is a set of features + within OpenBao that allows OpenBao environments to support secure + multi-tenancy. e.g: "ns1". This will default to OpenBao.Namespace field + if set, or empty otherwise + + [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/ + type: string + tokenSecretRef: + description: TokenSecretRef authenticates with OpenBao by presenting a token. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + userPass: + description: UserPass authenticates with OpenBao by passing a username/password pair + properties: + path: + default: userpass + description: |- + Path where the UserPassword authentication backend is mounted + in OpenBao, e.g: "userpass" + type: string + secretRef: + description: |- + SecretRef to a key in a Secret resource containing password for the user + used to authenticate with OpenBao using the [UserPass authentication + method] + + [UserPass authentication method]: https://openbao.org/docs/auth/userpass/ + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + username: + description: |- + Username is a username used to authenticate using the [UserPass + authentication method] + + [UserPass authentication method]: https://openbao.org/docs/auth/userpass/ + type: string + required: + - path + - username + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [appRole tokenSecretRef userPass] must be set + rule: '[has(self.appRole),has(self.tokenSecretRef),has(self.userPass)].filter(x,x==true).size() == 1' + caBundle: + description: |- + PEM encoded CA bundle used to validate the OpenBao server certificate. If + this and `caProvider` are not set the system root certificates are used + to validate the TLS connection. + format: byte + type: string + caProvider: + description: |- + The provider for the CA bundle to use to validate OpenBao server + certificate. If this and `caBundle` are not set the system root + certificates are used to validate the TLS connection. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the object located at the provider type. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + namespace: + description: |- + Name of the [OpenBao Namespace]. Namespaces is a set of features within + OpenBao that allows OpenBao environments to support secure multi-tenancy. + e.g: "ns1". + + [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/ + type: string + path: + description: |- + Path is the mount path of the OpenBao KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from OpenBao is optional and will be appended + if not present in specified path. + type: string + server: + description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.' + type: string + version: + default: v2 + description: |- + Version is the OpenBao KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". + enum: + - v1 + - v2 + type: string + required: + - server + type: object + x-kubernetes-validations: + - message: at most one of the fields in [caBundle caProvider] may be set + rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1' oracle: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: diff --git a/charts/external-secrets/templates/crds/externalsecret.yaml b/charts/external-secrets/templates/crds/externalsecret.yaml index b09a6bbb00..835752bbf6 100644 --- a/charts/external-secrets/templates/crds/externalsecret.yaml +++ b/charts/external-secrets/templates/crds/externalsecret.yaml @@ -109,7 +109,6 @@ spec: - Fetch type: string nullBytePolicy: - default: Ignore description: Controls how ESO handles fetched secret data containing NUL bytes for this source. enum: - Ignore @@ -152,6 +151,7 @@ spec: description: Specify the Kind of the generator resource enum: - ACRAccessToken + - BeyondtrustWorkloadCredentialsDynamicSecret - ClusterGenerator - CloudsmithAccessToken - ECRAuthorizationToken @@ -243,7 +243,6 @@ spec: - Fetch type: string nullBytePolicy: - default: Ignore description: Controls how ESO handles fetched secret data containing NUL bytes for this source. enum: - Ignore @@ -287,7 +286,6 @@ spec: type: string type: object nullBytePolicy: - default: Ignore description: Controls how ESO handles fetched secret data containing NUL bytes for this find source. enum: - Ignore @@ -401,6 +399,7 @@ spec: description: Specify the Kind of the generator resource enum: - ACRAccessToken + - BeyondtrustWorkloadCredentialsDynamicSecret - ClusterGenerator - CloudsmithAccessToken - ECRAuthorizationToken @@ -487,6 +486,53 @@ spec: pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: object + syncWindows: + description: |- + SyncWindows optionally restricts when periodic refreshes may occur. + Evaluated in UTC, only for Periodic refresh policy (or when refreshPolicy is unset). + properties: + kind: + description: |- + Kind applies to every window in the list. + "allow" -- syncs are permitted only while at least one window is active; + all other times are blocked. + "deny" -- syncs are blocked while any window is active; + all other times are permitted. + enum: + - allow + - deny + type: string + windows: + description: Windows is the list of schedule+duration pairs. + items: + description: |- + ExternalSecretSyncWindowEntry defines a single cron-schedule + duration pair + within a SyncWindows block. + properties: + duration: + description: |- + Duration specifies how long the window stays open after each Schedule + firing. Example: "8h". + type: string + schedule: + description: |- + Schedule is a standard 5-field cron expression evaluated in UTC, or a + named shorthand such as @daily or @every 1h. It marks the start time of + each window occurrence. + Example: "0 22 * * 1-5" opens a window every weekday at 22:00 UTC. + minLength: 1 + pattern: ^(@(annually|yearly|monthly|weekly|daily|midnight|hourly)|@every [^\s]+.*|[^\s]+( [^\s]+){4})$ + type: string + required: + - duration + - schedule + type: object + minItems: 1 + type: array + required: + - kind + - windows + type: object target: default: creationPolicy: Owner @@ -671,6 +717,15 @@ spec: For custom resources (when spec.target.manifest is set), this supports nested paths like "spec.database.config" or "data". type: string + valuesDecodingStrategy: + default: None + description: Used to define a decoding Strategy for the rendered template values. + enum: + - Auto + - Base64 + - Base64URL + - None + type: string type: object type: array type: diff --git a/charts/external-secrets/templates/crds/pushsecret.yaml b/charts/external-secrets/templates/crds/pushsecret.yaml index 59e150e5ce..8a888891bf 100644 --- a/charts/external-secrets/templates/crds/pushsecret.yaml +++ b/charts/external-secrets/templates/crds/pushsecret.yaml @@ -333,6 +333,7 @@ spec: description: Specify the Kind of the generator resource enum: - ACRAccessToken + - BeyondtrustWorkloadCredentialsDynamicSecret - ClusterGenerator - CloudsmithAccessToken - ECRAuthorizationToken @@ -541,6 +542,15 @@ spec: For custom resources (when spec.target.manifest is set), this supports nested paths like "spec.database.config" or "data". type: string + valuesDecodingStrategy: + default: None + description: Used to define a decoding Strategy for the rendered template values. + enum: + - Auto + - Base64 + - Base64URL + - None + type: string type: object type: array type: diff --git a/charts/external-secrets/templates/crds/secretstore.yaml b/charts/external-secrets/templates/crds/secretstore.yaml index 59c11851a8..952424d3d6 100644 --- a/charts/external-secrets/templates/crds/secretstore.yaml +++ b/charts/external-secrets/templates/crds/secretstore.yaml @@ -698,6 +698,7 @@ spec: Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) + - "WorkloadIdentity": Using a Kubernetes ServiceAccount federated with Entra ID enum: - ServicePrincipal - ManagedIdentity @@ -1086,6 +1087,136 @@ spec: - auth - server type: object + beyondtrustworkloadcredentials: + description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider. + properties: + auth: + description: |- + Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API. + Currently supports API key authentication via Kubernetes secret reference. + For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + apikey: + description: |- + APIKey configures API token authentication for BeyondTrust Workload Credentials. + The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests. + properties: + token: + description: |- + Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token. + The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials. + Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret. + For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + required: + - token + type: object + required: + - apikey + type: object + caBundle: + description: |- + CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this when your BeyondTrust instance uses a self-signed certificate or internal CA. + If not set, the system's trusted root certificates are used. + format: byte + type: string + caProvider: + description: |- + CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate. + This is used to validate the BeyondTrust Workload Credentials API TLS certificate. + Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the object located at the provider type. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + folderPath: + description: |- + FolderPath specifies the default folder path for secret retrieval. + Secrets will be fetched from this folder unless overridden in the ExternalSecret spec. + Example: "production/database" or "dev/api-keys" + Leave empty to retrieve secrets from the root folder. + For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders + type: string + server: + description: |- + Server configures the BeyondTrust Workload Credentials server connection details. + Includes the API URL and Site ID for your BeyondTrust instance. + For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + properties: + apiUrl: + description: |- + APIURL is the base URL of your BeyondTrust Workload Credentials API server. + This should be the full URL to your BeyondTrust instance. + Example: https://api.beyondtrust.io/siie + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url + type: string + siteId: + description: |- + SiteID is your BeyondTrust Workload Credentials site identifier (UUID format). + This identifier is unique to your BeyondTrust Workload Credentials instance. + You can find your Site ID in the BeyondTrust Workload Credentials admin console. + Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890 + For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api + type: string + required: + - apiUrl + - siteId + type: object + required: + - auth + - server + type: object bitwardensecretsmanager: description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider properties: @@ -3101,6 +3232,11 @@ spec: default: true description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided. type: boolean + organizationSlug: + description: |- + OrganizationSlug is the optional slug that identifies the organization that will be used + during authentication. Useful for sub-organization setups + type: string projectSlug: description: ProjectSlug is the required slug identifier for the project. type: string @@ -3751,6 +3887,265 @@ spec: - auth - vault type: object + openBao: + description: OpenBao configures this store to sync secrets using the OpenBao provider. + properties: + auth: + description: Auth configures how secret-manager authenticates with the OpenBao server. + properties: + appRole: + description: |- + AppRole authenticates with OpenBao using the [App Role auth mechanism], + with the role and secret stored in a Kubernetes Secret resource. + + [App Role auth mechanism]: https://openbao.org/docs/auth/approle/ + properties: + path: + default: approle + description: |- + Path where the App Role authentication backend is mounted + in OpenBao, e.g: "approle" + type: string + roleId: + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in OpenBao. + minLength: 1 + type: string + roleRef: + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with OpenBao. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + secretRef: + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with OpenBao. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + required: + - path + - secretRef + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [roleId roleRef] must be set + rule: '[has(self.roleId),has(self.roleRef)].filter(x,x==true).size() == 1' + namespace: + description: |- + Name of the [OpenBao Namespace] to authenticate to. This can be different + than the namespace your secret is in. Namespaces is a set of features + within OpenBao that allows OpenBao environments to support secure + multi-tenancy. e.g: "ns1". This will default to OpenBao.Namespace field + if set, or empty otherwise + + [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/ + type: string + tokenSecretRef: + description: TokenSecretRef authenticates with OpenBao by presenting a token. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + userPass: + description: UserPass authenticates with OpenBao by passing a username/password pair + properties: + path: + default: userpass + description: |- + Path where the UserPassword authentication backend is mounted + in OpenBao, e.g: "userpass" + type: string + secretRef: + description: |- + SecretRef to a key in a Secret resource containing password for the user + used to authenticate with OpenBao using the [UserPass authentication + method] + + [UserPass authentication method]: https://openbao.org/docs/auth/userpass/ + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + username: + description: |- + Username is a username used to authenticate using the [UserPass + authentication method] + + [UserPass authentication method]: https://openbao.org/docs/auth/userpass/ + type: string + required: + - path + - username + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [appRole tokenSecretRef userPass] must be set + rule: '[has(self.appRole),has(self.tokenSecretRef),has(self.userPass)].filter(x,x==true).size() == 1' + caBundle: + description: |- + PEM encoded CA bundle used to validate the OpenBao server certificate. If + this and `caProvider` are not set the system root certificates are used + to validate the TLS connection. + format: byte + type: string + caProvider: + description: |- + The provider for the CA bundle to use to validate OpenBao server + certificate. If this and `caBundle` are not set the system root + certificates are used to validate the TLS connection. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the object located at the provider type. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object + namespace: + description: |- + Name of the [OpenBao Namespace]. Namespaces is a set of features within + OpenBao that allows OpenBao environments to support secure multi-tenancy. + e.g: "ns1". + + [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/ + type: string + path: + description: |- + Path is the mount path of the OpenBao KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from OpenBao is optional and will be appended + if not present in specified path. + type: string + server: + description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.' + type: string + version: + default: v2 + description: |- + Version is the OpenBao KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". + enum: + - v1 + - v2 + type: string + required: + - server + type: object + x-kubernetes-validations: + - message: at most one of the fields in [caBundle caProvider] may be set + rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1' oracle: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: diff --git a/charts/external-secrets/templates/deployment.yaml b/charts/external-secrets/templates/deployment.yaml index bcdd064de9..a92e03c5ce 100644 --- a/charts/external-secrets/templates/deployment.yaml +++ b/charts/external-secrets/templates/deployment.yaml @@ -100,6 +100,9 @@ spec: {{- if not .Values.processSecretStore }} - --enable-secret-store-reconciler=false {{- end }} + {{- if .Values.storeRequeueInterval }} + - --store-requeue-interval={{ .Values.storeRequeueInterval }} + {{- end }} {{- if .Values.controllerClass }} - --controller-class={{ .Values.controllerClass }} {{- end }} diff --git a/charts/external-secrets/templates/poddisruptionbudget.yaml b/charts/external-secrets/templates/poddisruptionbudget.yaml index 52e254f4bc..ee62ac043c 100644 --- a/charts/external-secrets/templates/poddisruptionbudget.yaml +++ b/charts/external-secrets/templates/poddisruptionbudget.yaml @@ -7,9 +7,9 @@ metadata: labels: {{- include "external-secrets.labels" . | nindent 4 }} spec: - {{- if .Values.podDisruptionBudget.maxUnavailable }} + {{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }} maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} - {{- else if .Values.podDisruptionBudget.minAvailable }} + {{- else if hasKey .Values.podDisruptionBudget "minAvailable" }} minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} {{- end }} selector: diff --git a/charts/external-secrets/templates/rbac.yaml b/charts/external-secrets/templates/rbac.yaml index 28084be117..8b5802c576 100644 --- a/charts/external-secrets/templates/rbac.yaml +++ b/charts/external-secrets/templates/rbac.yaml @@ -113,6 +113,7 @@ rules: - "webhooks" - "grafanas" - "mfas" + - "beyondtrustworkloadcredentialsdynamicsecrets" verbs: - "get" - "list" @@ -273,6 +274,7 @@ rules: - "generators.external-secrets.io" resources: - "acraccesstokens" + - "beyondtrustworkloadcredentialsdynamicsecrets" - "cloudsmithaccesstokens" {{- if .Values.processClusterGenerator }} - "clustergenerators" @@ -353,6 +355,7 @@ rules: - "grafanas" - "generatorstates" - "mfas" + - "beyondtrustworkloadcredentialsdynamicsecrets" - "uuids" verbs: - "create" diff --git a/charts/external-secrets/templates/service.yaml b/charts/external-secrets/templates/service.yaml index b859670c5c..a2d6122433 100644 --- a/charts/external-secrets/templates/service.yaml +++ b/charts/external-secrets/templates/service.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "external-secrets.fullname" . }}-metrics + name: {{ include "external-secrets.componentName" (list . "-metrics") }} namespace: {{ template "external-secrets.namespace" . }} labels: {{- include "external-secrets.labels" . | nindent 4 }} diff --git a/charts/external-secrets/templates/validatingwebhook.yaml b/charts/external-secrets/templates/validatingwebhook.yaml index b1f890924a..b350b82a32 100644 --- a/charts/external-secrets/templates/validatingwebhook.yaml +++ b/charts/external-secrets/templates/validatingwebhook.yaml @@ -26,7 +26,7 @@ webhooks: clientConfig: service: namespace: {{ template "external-secrets.namespace" . }} - name: {{ include "external-secrets.fullname" . }}-webhook + name: {{ include "external-secrets.componentName" (list . "-webhook") }} path: /validate-external-secrets-io-v1-secretstore admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None @@ -43,7 +43,7 @@ webhooks: clientConfig: service: namespace: {{ template "external-secrets.namespace" . }} - name: {{ include "external-secrets.fullname" . }}-webhook + name: {{ include "external-secrets.componentName" (list . "-webhook") }} path: /validate-external-secrets-io-v1-clustersecretstore admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None @@ -77,7 +77,7 @@ webhooks: clientConfig: service: namespace: {{ template "external-secrets.namespace" . }} - name: {{ include "external-secrets.fullname" . }}-webhook + name: {{ include "external-secrets.componentName" (list . "-webhook") }} path: /validate-external-secrets-io-v1-externalsecret admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None diff --git a/charts/external-secrets/templates/webhook-certificate.yaml b/charts/external-secrets/templates/webhook-certificate.yaml index d4f505bba4..6b575b589b 100644 --- a/charts/external-secrets/templates/webhook-certificate.yaml +++ b/charts/external-secrets/templates/webhook-certificate.yaml @@ -13,11 +13,11 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - commonName: {{ include "external-secrets.fullname" . }}-webhook + commonName: {{ include "external-secrets.componentName" (list . "-webhook") }} dnsNames: - - {{ include "external-secrets.fullname" . }}-webhook - - {{ include "external-secrets.fullname" . }}-webhook.{{ template "external-secrets.namespace" . }} - - {{ include "external-secrets.fullname" . }}-webhook.{{ template "external-secrets.namespace" . }}.svc + - {{ include "external-secrets.componentName" (list . "-webhook") }} + - {{ include "external-secrets.componentName" (list . "-webhook") }}.{{ template "external-secrets.namespace" . }} + - {{ include "external-secrets.componentName" (list . "-webhook") }}.{{ template "external-secrets.namespace" . }}.svc issuerRef: {{- toYaml .Values.webhook.certManager.cert.issuerRef | nindent 4 }} {{- with .Values.webhook.certManager.cert.duration }} diff --git a/charts/external-secrets/templates/webhook-deployment.yaml b/charts/external-secrets/templates/webhook-deployment.yaml index dc9cf61645..43c24d9be1 100644 --- a/charts/external-secrets/templates/webhook-deployment.yaml +++ b/charts/external-secrets/templates/webhook-deployment.yaml @@ -71,7 +71,7 @@ spec: args: - webhook - --port={{ .Values.webhook.port }} - - --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ template "external-secrets.namespace" . }}.svc + - --dns-name={{ include "external-secrets.componentName" (list . "-webhook") }}.{{ template "external-secrets.namespace" . }}.svc - --cert-dir={{ .Values.webhook.certDir }} - --check-interval={{ .Values.webhook.certCheckInterval }} - --metrics-addr=:{{ .Values.webhook.metrics.listen.port }} diff --git a/charts/external-secrets/templates/webhook-poddisruptionbudget.yaml b/charts/external-secrets/templates/webhook-poddisruptionbudget.yaml index 5812819d60..59ef75021a 100644 --- a/charts/external-secrets/templates/webhook-poddisruptionbudget.yaml +++ b/charts/external-secrets/templates/webhook-poddisruptionbudget.yaml @@ -8,9 +8,9 @@ metadata: {{- include "external-secrets-webhook.labels" . | nindent 4 }} external-secrets.io/component: webhook spec: - {{- if .Values.webhook.podDisruptionBudget.maxUnavailable }} + {{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }} maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }} - {{- else if .Values.webhook.podDisruptionBudget.minAvailable }} + {{- else if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }} minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }} {{- end }} selector: diff --git a/charts/external-secrets/templates/webhook-service.yaml b/charts/external-secrets/templates/webhook-service.yaml index f01b3af1ac..d6f9fbd513 100644 --- a/charts/external-secrets/templates/webhook-service.yaml +++ b/charts/external-secrets/templates/webhook-service.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "external-secrets.fullname" . }}-webhook + name: {{ include "external-secrets.componentName" (list . "-webhook") }} namespace: {{ template "external-secrets.namespace" . }} labels: {{- include "external-secrets-webhook.labels" . | nindent 4 }} diff --git a/charts/external-secrets/values.schema.json b/charts/external-secrets/values.schema.json index 0c36f371db..720be1c368 100644 --- a/charts/external-secrets/values.schema.json +++ b/charts/external-secrets/values.schema.json @@ -912,6 +912,9 @@ } } }, + "storeRequeueInterval": { + "type": "string" + }, "strategy": { "type": "object" }, diff --git a/charts/external-secrets/values.yaml b/charts/external-secrets/values.yaml index d75f721ef2..3f246fab31 100644 --- a/charts/external-secrets/values.yaml +++ b/charts/external-secrets/values.yaml @@ -132,6 +132,9 @@ processClusterStore: true # -- if true, the operator will process secret store. Else, it will ignore them. processSecretStore: true +# -- Default time duration between reconciling (Cluster)SecretStores. +storeRequeueInterval: "" + # -- if true, the operator will process cluster generator. Else, it will ignore them. processClusterGenerator: true