Update Helm release external-secrets to v2.7.0#303
Merged
Conversation
Argo CD Diff PreviewSummary: Modified (1):
± sandbox-oci-external-secrets (+1382|-9)sandbox-oci-external-secrets (applications/appset-ops-tools.yaml)Deployment: external-secrets/sandbox-oci-external-secrets - --metrics-addr=:8080
- --loglevel=info
- --zap-time-encoding=epoch
- image: ghcr.io/external-secrets/external-secrets:v2.6.0
+ image: ghcr.io/external-secrets/external-secrets:v2.7.0
imagePullPolicy: IfNotPresent
name: external-secrets
ports:Deployment: external-secrets/sandbox-oci-external-secrets-cert-controller - --loglevel=info
- --zap-time-encoding=epoch
- --enable-partial-cache=true
- image: ghcr.io/external-secrets/external-secrets:v2.6.0
+ image: ghcr.io/external-secrets/external-secrets:v2.7.0
imagePullPolicy: IfNotPresent
name: cert-controller
ports:Deployment: external-secrets/sandbox-oci-external-secrets-webhook - --healthz-addr=:8081
- --loglevel=info
- --zap-time-encoding=epoch
- image: ghcr.io/external-secrets/external-secrets:v2.6.0
+ image: ghcr.io/external-secrets/external-secrets:v2.7.0
imagePullPolicy: IfNotPresent
name: webhook
ports:ClusterRole: sandbox-oci-external-secrets-cert-controller - get
- list
- watch
+- apiGroups:
+ - apiextensions.k8s.io
+ resourceNames:
+ - externalsecrets.external-secrets.io
+ - secretstores.external-secrets.io
+ - clustersecretstores.external-secrets.io
+ resources:
+ - customresourcedefinitions
+ verbs:
- update
- patch
- apiGroups:
@@ skipped 45 lines (33 -> 77) @@
- get
- list
- watch
+- apiGroups:
+ - ""
+ resourceNames:
+ - sandbox-oci-external-secrets-webhook
+ resources:
+ - secrets
+ verbs:
- update
- patch
- apiGroups:ClusterRole: sandbox-oci-external-secrets-controller - webhooks
- grafanas
- mfas
+ - beyondtrustworkloadcredentialsdynamicsecrets
verbs:
- get
- listClusterRole: sandbox-oci-external-secrets-edit - grafanas
- generatorstates
- mfas
+ - beyondtrustworkloadcredentialsdynamicsecrets
- uuids
verbs:
- createClusterRole: sandbox-oci-external-secrets-view - generators.external-secrets.io
resources:
- acraccesstokens
+ - beyondtrustworkloadcredentialsdynamicsecrets
- cloudsmithaccesstokens
- clustergenerators
- ecrauthorizationtokensCustomResourceDefinition: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.19.0
+ labels:
+ external-secrets.io/component: controller
+ name: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io
+spec:
+ group: generators.external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ - external-secrets-generators
+ kind: BeyondtrustWorkloadCredentialsDynamicSecret
+ listKind: BeyondtrustWorkloadCredentialsDynamicSecretList
+ plural: beyondtrustworkloadcredentialsdynamicsecrets
+ singular: beyondtrustworkloadcredentialsdynamicsecret
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials.
+ This generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials
+ (such as AWS STS credentials) each time an ExternalSecret is refreshed.
+ Dynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced.
+ For complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: |-
+ BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
+ This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
+ For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
+ properties:
+ controller:
+ description: |-
+ Controller selects the controller that should handle this generator.
+ Leave empty to use the default controller.
+ type: string
+ provider:
+ description: |-
+ Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
+ server connection details, and the folder path to the dynamic secret definition.
+ The folderPath should point to a dynamic secret definition that has been created in
+ BeyondTrust Workload Credentials (e.g., "production/aws-temp").
+ For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
+ properties:
+ auth:
+ description: |-
+ Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
+ Currently supports API key authentication via Kubernetes secret reference.
+ For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
+ properties:
+ apikey:
+ description: |-
+ APIKey configures API token authentication for BeyondTrust Workload Credentials.
+ The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
+ properties:
+ token:
+ description: |-
+ Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
+ The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
+ Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
+ For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being
+ referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ required:
+ - token
+ type: object
+ required:
+ - apikey
+ type: object
+ caBundle:
+ description: |-
+ CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
+ Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
+ If not set, the system's trusted root certificates are used.
+ format: byte
+ type: string
+ caProvider:
+ description: |-
+ CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
+ This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
+ Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
+ properties:
+ key:
+ description: The key where the CA certificate can be found
+ in the Secret or ConfigMap.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the object located at the provider
+ type.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type:
+ description: The type of provider to use such as "Secret",
+ or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ folderPath:
+ description: |-
+ FolderPath specifies the default folder path for secret retrieval.
+ Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
+ Example: "production/database" or "dev/api-keys"
+ Leave empty to retrieve secrets from the root folder.
+ For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
+ type: string
+ server:
+ description: |-
+ Server configures the BeyondTrust Workload Credentials server connection details.
+ Includes the API URL and Site ID for your BeyondTrust instance.
+ For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
+ properties:
+ apiUrl:
+ description: |-
+ APIURL is the base URL of your BeyondTrust Workload Credentials API server.
+ This should be the full URL to your BeyondTrust instance.
+ Example: https://api.beyondtrust.io/siie
+ For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
+ type: string
+ siteId:
+ description: |-
+ SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
+ This identifier is unique to your BeyondTrust Workload Credentials instance.
+ You can find your Site ID in the BeyondTrust Workload Credentials admin console.
+ Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
+ For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
+ type: string
+ required:
+ - apiUrl
+ - siteId
+ type: object
+ required:
+ - auth
+ - server
+ type: object
+ retrySettings:
+ description: |-
+ RetrySettings configures exponential backoff for failed API requests.
+ If not specified, uses the default retry settings.
+ properties:
+ maxRetries:
+ format: int32
+ type: integer
+ retryInterval:
+ type: string
+ type: object
+ required:
+ - provider
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}CustomResourceDefinition: clusterexternalsecrets.external-secrets.io - Fetch
type: string
nullBytePolicy:
- default: Ignore
description: Controls how ESO handles fetched secret
data containing NUL bytes for this source.
enum:
@@ skipped 41 lines (126 -> 166) @@
description: Specify the Kind of the generator resource
enum:
- ACRAccessToken
+ - BeyondtrustWorkloadCredentialsDynamicSecret
- ClusterGenerator
- CloudsmithAccessToken
- ECRAuthorizationToken
@@ skipped 88 lines (174 -> 261) @@
- Fetch
type: string
nullBytePolicy:
- default: Ignore
description: Controls how ESO handles fetched secret
data containing NUL bytes for this source.
enum:
@@ skipped 40 lines (269 -> 308) @@
type: string
type: object
nullBytePolicy:
- default: Ignore
description: Controls how ESO handles fetched secret
data containing NUL bytes for this find source.
enum:
@@ skipped 118 lines (316 -> 433) @@
description: Specify the Kind of the generator resource
enum:
- ACRAccessToken
+ - BeyondtrustWorkloadCredentialsDynamicSecret
- ClusterGenerator
- CloudsmithAccessToken
- ECRAuthorizationToken
@@ skipped 82 lines (441 -> 522) @@
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type: object
+ syncWindows:
+ description: |-
+ SyncWindows optionally restricts when periodic refreshes may occur.
+ Evaluated in UTC, only for Periodic refresh policy (or when refreshPolicy is unset).
+ properties:
+ kind:
+ description: |-
+ Kind applies to every window in the list.
+ "allow" -- syncs are permitted only while at least one window is active;
+ all other times are blocked.
+ "deny" -- syncs are blocked while any window is active;
+ all other times are permitted.
+ enum:
+ - allow
+ - deny
+ type: string
+ windows:
+ description: Windows is the list of schedule+duration pairs.
+ items:
+ description: |-
+ ExternalSecretSyncWindowEntry defines a single cron-schedule + duration pair
+ within a SyncWindows block.
+ properties:
+ duration:
+ description: |-
+ Duration specifies how long the window stays open after each Schedule
+ firing. Example: "8h".
+ type: string
+ schedule:
+ description: |-
+ Schedule is a standard 5-field cron expression evaluated in UTC, or a
+ named shorthand such as @daily or @every 1h. It marks the start time of
+ each window occurrence.
+ Example: "0 22 * * 1-5" opens a window every weekday at 22:00 UTC.
+ minLength: 1
+ pattern: ^(@(annually|yearly|monthly|weekly|daily|midnight|hourly)|@every
+ [^\s]+.*|[^\s]+( [^\s]+){4})$
+ type: string
+ required:
+ - duration
+ - schedule
+ type: object
+ minItems: 1
+ type: array
+ required:
+ - kind
+ - windows
+ type: object
target:
default:
creationPolicy: Owner
@@ skipped 196 lines (577 -> 772) @@
For Secret resources, common values are: "Data", "Annotations", "Labels".
For custom resources (when spec.target.manifest is set), this supports
nested paths like "spec.database.config" or "data".
+ type: string
+ valuesDecodingStrategy:
+ default: None
+ description: Used to define a decoding Strategy
+ for the rendered template values.
+ enum:
+ - Auto
+ - Base64
+ - Base64URL
+ - None
type: string
type: object
type: arrayCustomResourceDefinition: clustergenerators.generators.external-secrets.io - auth
- registry
type: object
+ beyondtrustWorkloadCredentialsDynamicSecretSpec:
+ description: |-
+ BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
+ This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
+ For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
+ properties:
+ controller:
+ description: |-
+ Controller selects the controller that should handle this generator.
+ Leave empty to use the default controller.
+ type: string
+ provider:
+ description: |-
+ Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
+ server connection details, and the folder path to the dynamic secret definition.
+ The folderPath should point to a dynamic secret definition that has been created in
+ BeyondTrust Workload Credentials (e.g., "production/aws-temp").
+ For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
+ properties:
+ auth:
+ description: |-
+ Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
+ Currently supports API key authentication via Kubernetes secret reference.
+ For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
+ properties:
+ apikey:
+ description: |-
+ APIKey configures API token authentication for BeyondTrust Workload Credentials.
+ The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
+ properties:
+ token:
+ description: |-
+ Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
+ The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
+ Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
+ For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource
+ being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ required:
+ - token
+ type: object
+ required:
+ - apikey
+ type: object
+ caBundle:
+ description: |-
+ CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
+ Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
+ If not set, the system's trusted root certificates are used.
+ format: byte
+ type: string
+ caProvider:
+ description: |-
+ CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
+ This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
+ Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
+ properties:
+ key:
+ description: The key where the CA certificate can
+ be found in the Secret or ConfigMap.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the object located at the
+ provider type.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type:
+ description: The type of provider to use such as "Secret",
+ or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ folderPath:
+ description: |-
+ FolderPath specifies the default folder path for secret retrieval.
+ Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
+ Example: "production/database" or "dev/api-keys"
+ Leave empty to retrieve secrets from the root folder.
+ For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
+ type: string
+ server:
+ description: |-
+ Server configures the BeyondTrust Workload Credentials server connection details.
+ Includes the API URL and Site ID for your BeyondTrust instance.
+ For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
+ properties:
+ apiUrl:
+ description: |-
+ APIURL is the base URL of your BeyondTrust Workload Credentials API server.
+ This should be the full URL to your BeyondTrust instance.
+ Example: https://api.beyondtrust.io/siie
+ For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
+ type: string
+ siteId:
+ description: |-
+ SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
+ This identifier is unique to your BeyondTrust Workload Credentials instance.
+ You can find your Site ID in the BeyondTrust Workload Credentials admin console.
+ Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
+ For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
+ type: string
+ required:
+ - apiUrl
+ - siteId
+ type: object
+ required:
+ - auth
+ - server
+ type: object
+ retrySettings:
+ description: |-
+ RetrySettings configures exponential backoff for failed API requests.
+ If not specified, uses the default retry settings.
+ properties:
+ maxRetries:
+ format: int32
+ type: integer
+ retryInterval:
+ type: string
+ type: object
+ required:
+ - provider
+ type: object
cloudsmithAccessTokenSpec:
description: CloudsmithAccessTokenSpec defines the configuration
for generating a Cloudsmith access token using OIDC authentication.
@@ skipped 2163 lines (383 -> 2545) @@
description: Kind the kind of this generator.
enum:
- ACRAccessToken
+ - BeyondtrustWorkloadCredentialsDynamicSecret
- CloudsmithAccessToken
- ECRAuthorizationToken
- Fake
@@ skipped 7 lines (2553 -> 2559) @@
- VaultDynamicSecret
- Webhook
- Grafana
+ - MFA
type: string
required:
- generatorCustomResourceDefinition: clusterpushsecrets.external-secrets.io description: Specify the Kind of the generator resource
enum:
- ACRAccessToken
+ - BeyondtrustWorkloadCredentialsDynamicSecret
- ClusterGenerator
- CloudsmithAccessToken
- ECRAuthorizationToken
@@ skipped 216 lines (434 -> 649) @@
For Secret resources, common values are: "Data", "Annotations", "Labels".
For custom resources (when spec.target.manifest is set), this supports
nested paths like "spec.database.config" or "data".
+ type: string
+ valuesDecodingStrategy:
+ default: None
+ description: Used to define a decoding Strategy for
+ the rendered template values.
+ enum:
+ - Auto
+ - Base64
+ - Base64URL
+ - None
type: string
type: object
type: arrayCustomResourceDefinition: clustersecretstores.external-secrets.io Valid values are:
- "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
+ - "WorkloadIdentity": Using a Kubernetes ServiceAccount federated with Entra ID
enum:
- ServicePrincipal
- ManagedIdentity
@@ skipped 419 lines (740 -> 1158) @@
required:
- apiUrl
- verifyCA
+ type: object
+ required:
+ - auth
+ - server
+ type: object
+ beyondtrustworkloadcredentials:
+ description: BeyondtrustWorkloadCredentials configures this store
+ to sync secrets using the BeyondTrust Workload Credentials provider.
+ properties:
+ auth:
+ description: |-
+ Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
+ Currently supports API key authentication via Kubernetes secret reference.
+ For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
+ properties:
+ apikey:
+ description: |-
+ APIKey configures API token authentication for BeyondTrust Workload Credentials.
+ The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
+ properties:
+ token:
+ description: |-
+ Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
+ The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
+ Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
+ For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being
+ referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ required:
+ - token
+ type: object
+ required:
+ - apikey
+ type: object
+ caBundle:
+ description: |-
+ CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
+ Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
+ If not set, the system's trusted root certificates are used.
+ format: byte
+ type: string
+ caProvider:
+ description: |-
+ CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
+ This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
+ Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
+ properties:
+ key:
+ description: The key where the CA certificate can be found
+ in the Secret or ConfigMap.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the object located at the provider
+ type.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type:
+ description: The type of provider to use such as "Secret",
+ or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ folderPath:
+ description: |-
+ FolderPath specifies the default folder path for secret retrieval.
+ Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
+ Example: "production/database" or "dev/api-keys"
+ Leave empty to retrieve secrets from the root folder.
+ For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
+ type: string
+ server:
+ description: |-
+ Server configures the BeyondTrust Workload Credentials server connection details.
+ Includes the API URL and Site ID for your BeyondTrust instance.
+ For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
+ properties:
+ apiUrl:
+ description: |-
+ APIURL is the base URL of your BeyondTrust Workload Credentials API server.
+ This should be the full URL to your BeyondTrust instance.
+ Example: https://api.beyondtrust.io/siie
+ For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
+ type: string
+ siteId:
+ description: |-
+ SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
+ This identifier is unique to your BeyondTrust Workload Credentials instance.
+ You can find your Site ID in the BeyondTrust Workload Credentials admin console.
+ Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
+ For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
+ type: string
+ required:
+ - apiUrl
+ - siteId
type: object
required:
- auth
@@ skipped 2167 lines (1300 -> 3466) @@
secret references should be expanded. Defaults to true
if not provided.
type: boolean
+ organizationSlug:
+ description: |-
+ OrganizationSlug is the optional slug that identifies the organization that will be used
+ during authentication. Useful for sub-organization setups
+ type: string
projectSlug:
description: ProjectSlug is the required slug identifier
for the project.
@@ skipped 695 lines (3478 -> 4172) @@
- auth
- vault
type: object
+ openBao:
+ description: OpenBao configures this store to sync secrets using
+ the OpenBao provider.
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates
+ with the OpenBao server.
+ properties:
+ appRole:
+ description: |-
+ AppRole authenticates with OpenBao using the [App Role auth mechanism],
+ with the role and secret stored in a Kubernetes Secret resource.
+
+ [App Role auth mechanism]: https://openbao.org/docs/auth/approle/
+ properties:
+ path:
+ default: approle
+ description: |-
+ Path where the App Role authentication backend is mounted
+ in OpenBao, e.g: "approle"
+ type: string
+ roleId:
+ description: |-
+ RoleID configured in the App Role authentication backend when setting
+ up the authentication backend in OpenBao.
+ minLength: 1
+ type: string
+ roleRef:
+ description: |-
+ Reference to a key in a Secret that contains the App Role ID used
+ to authenticate with OpenBao.
+ The `key` field must be specified and denotes which entry within the Secret
+ resource is used as the app role id.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being
+ referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ secretRef:
+ description: |-
+ Reference to a key in a Secret that contains the App Role secret used
+ to authenticate with OpenBao.
+ The `key` field must be specified and denotes which entry within the Secret
+ resource is used as the app role secret.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being
+ referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ required:
+ - path
+ - secretRef
+ type: object
+ x-kubernetes-validations:
+ - message: exactly one of the fields in [roleId roleRef]
+ must be set
+ rule: '[has(self.roleId),has(self.roleRef)].filter(x,x==true).size()
+ == 1'
+ namespace:
+ description: |-
+ Name of the [OpenBao Namespace] to authenticate to. This can be different
+ than the namespace your secret is in. Namespaces is a set of features
+ within OpenBao that allows OpenBao environments to support secure
+ multi-tenancy. e.g: "ns1". This will default to OpenBao.Namespace field
+ if set, or empty otherwise
+
+ [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
+ type: string
+ tokenSecretRef:
+ description: TokenSecretRef authenticates with OpenBao
+ by presenting a token.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being
+ referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ userPass:
+ description: UserPass authenticates with OpenBao by passing
+ a username/password pair
+ properties:
+ path:
+ default: userpass
+ description: |-
+ Path where the UserPassword authentication backend is mounted
+ in OpenBao, e.g: "userpass"
+ type: string
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing password for the user
+ used to authenticate with OpenBao using the [UserPass authentication
+ method]
+
+ [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being
+ referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ username:
+ description: |-
+ Username is a username used to authenticate using the [UserPass
+ authentication method]
+
+ [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: exactly one of the fields in [appRole tokenSecretRef
+ userPass] must be set
+ rule: '[has(self.appRole),has(self.tokenSecretRef),has(self.userPass)].filter(x,x==true).size()
+ == 1'
+ caBundle:
+ description: |-
+ PEM encoded CA bundle used to validate the OpenBao server certificate. If
+ this and `caProvider` are not set the system root certificates are used
+ to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: |-
+ The provider for the CA bundle to use to validate OpenBao server
+ certificate. If this and `caBundle` are not set the system root
+ certificates are used to validate the TLS connection.
+ properties:
+ key:
+ description: The key where the CA certificate can be found
+ in the Secret or ConfigMap.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the object located at the provider
+ type.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type:
+ description: The type of provider to use such as "Secret",
+ or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ namespace:
+ description: |-
+ Name of the [OpenBao Namespace]. Namespaces is a set of features within
+ OpenBao that allows OpenBao environments to support secure multi-tenancy.
+ e.g: "ns1".
+
+ [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
+ type: string
+ path:
+ description: |-
+ Path is the mount path of the OpenBao KV backend endpoint, e.g:
+ "secret". The v2 KV secret engine version specific "/data" path suffix
+ for fetching secrets from OpenBao is optional and will be appended
+ if not present in specified path.
+ type: string
+ server:
+ description: 'Server is the connection address for the OpenBao
+ server, e.g: `https://openbao.example.com:8200`.'
+ type: string
+ version:
+ default: v2
+ description: |-
+ Version is the OpenBao KV secret engine version. This can be either "v1" or
+ "v2". Version defaults to "v2".
+ enum:
+ - v1
+ - v2
+ type: string
+ required:
+ - server
+ type: object
+ x-kubernetes-validations:
+ - message: at most one of the fields in [caBundle caProvider]
+ may be set
+ rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size()
+ <= 1'
oracle:
description: Oracle configures this store to sync secrets using
Oracle Vault providerCustomResourceDefinition: externalsecrets.external-secrets.io - Fetch
type: string
nullBytePolicy:
- default: Ignore
description: Controls how ESO handles fetched secret data
containing NUL bytes for this source.
enum:
@@ skipped 40 lines (112 -> 151) @@
description: Specify the Kind of the generator resource
enum:
- ACRAccessToken
+ - BeyondtrustWorkloadCredentialsDynamicSecret
- ClusterGenerator
- CloudsmithAccessToken
- ECRAuthorizationToken
@@ skipped 88 lines (159 -> 246) @@
- Fetch
type: string
nullBytePolicy:
- default: Ignore
description: Controls how ESO handles fetched secret data
containing NUL bytes for this source.
enum:
@@ skipped 40 lines (254 -> 293) @@
type: string
type: object
nullBytePolicy:
- default: Ignore
description: Controls how ESO handles fetched secret data
containing NUL bytes for this find source.
enum:
@@ skipped 116 lines (301 -> 416) @@
description: Specify the Kind of the generator resource
enum:
- ACRAccessToken
+ - BeyondtrustWorkloadCredentialsDynamicSecret
- ClusterGenerator
- CloudsmithAccessToken
- ECRAuthorizationToken
@@ skipped 82 lines (424 -> 505) @@
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type: object
+ syncWindows:
+ description: |-
+ SyncWindows optionally restricts when periodic refreshes may occur.
+ Evaluated in UTC, only for Periodic refresh policy (or when refreshPolicy is unset).
+ properties:
+ kind:
+ description: |-
+ Kind applies to every window in the list.
+ "allow" -- syncs are permitted only while at least one window is active;
+ all other times are blocked.
+ "deny" -- syncs are blocked while any window is active;
+ all other times are permitted.
+ enum:
+ - allow
+ - deny
+ type: string
+ windows:
+ description: Windows is the list of schedule+duration pairs.
+ items:
+ description: |-
+ ExternalSecretSyncWindowEntry defines a single cron-schedule + duration pair
+ within a SyncWindows block.
+ properties:
+ duration:
+ description: |-
+ Duration specifies how long the window stays open after each Schedule
+ firing. Example: "8h".
+ type: string
+ schedule:
+ description: |-
+ Schedule is a standard 5-field cron expression evaluated in UTC, or a
+ named shorthand such as @daily or @every 1h. It marks the start time of
+ each window occurrence.
+ Example: "0 22 * * 1-5" opens a window every weekday at 22:00 UTC.
+ minLength: 1
+ pattern: ^(@(annually|yearly|monthly|weekly|daily|midnight|hourly)|@every
+🚨 Diff is too long
Stats: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.6.0→2.7.0Release Notes
external-secrets/external-secrets (external-secrets)
v2.7.0Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v2.7.0Image:
ghcr.io/external-secrets/external-secrets:v2.7.0-ubiImage:
ghcr.io/external-secrets/external-secrets:v2.7.0-ubi-boringsslWhat's Changed
General
caBundleandcaProviderby @phil9909 in #6461replicationLocationsto AWS SecretsManager provider by @cmoscofian in #6451auth.userPassauth method by @phil9909 in #6492github.com/pulumi/esc-sdk/sdkto v0.14.0 by @phil9909 in #6495auth.appRoleauth method by @phil9909 in #6497Dependencies
8942b73to46d19c1by @dependabot[bot] in #6436f23e8b2to7a3e500by @dependabot[bot] in #64685d2b868to5f68ec6in /e2e by @dependabot[bot] in #64715b10f43toa2d49eaby @dependabot[bot] in #646946d19c1to1b99266by @dependabot[bot] in #6467a2d49eato28bd5fein /hack/api-docs by @dependabot[bot] in #6472a2d49eato28bd5feby @dependabot[bot] in #64997a3e500to3ad5730by @dependabot[bot] in #6501New Contributors
Full Changelog: external-secrets/external-secrets@v2.6.0...v2.7.0
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.